In the pursuit of growing digitally, enterprises continually acquire a number of systems and applications and deploy them over different environments—on-premise and cloud—for the sake of manageability.
The rapid growth of APIs has played a significant role in digital transformation initiatives of various enterprises. With changing trends, it has become a challenge for the organizations to protect the APIs using the traditional authentication mechanisms and there is a need for APIs to be more secure and reliable.
The OAuth 2.0 mechanism provides robust security and ensures that the APIs are protected from vulnerabilities and malicious threats. The framework essentially relies on ‘bearer’ tokens and introduces an additional authorization layer and separate the role of the client from that of the resource owner to address the bottlenecks with the basic authentication approach. The mechanism makes provision for delegated authorization, by virtue of which a resource owner’s consent will allow a third-party application to access a resource owned by the user, without the explicit need to share user credentials.
The third-party client application possessing a valid token can have limited access to server resources as defined in the scope, while administrators can set the validity time for those tokens or even revoke them. OAuth tokens can also be alternatively used as static API keys in conjunction with the IP address restriction to authorize the access to an API in a standard client-server communication.
This whitepaper covers OAuth 2.0 implementation using Software AG Integration Server 10.1 and covers the following concepts:
1. Client registration
2. Scope creation and association with clients
3. Redirect URI implementation and token generation
4. OAuth tokens for delegated authorization and as API keys
5. Refreshing and revoking tokens