OAuth 2.0 overview

In API Gateway’s OAuth 2.0 implementation, Akamai acts as an authorization server. It ensures the proper authorization of external web or mobile client apps that request resources from your registered APIs. Authorization Server also interacts with identity providers (IdPs) that you register with Akamai to verify resource owners’ identity.

Process

The full authorization process differs depending on the OAuth flow that a client app uses to access protected resources on a resource server. The implict grant and authorization code grant flows are relatively complex and consist of two major steps. First, Akamai integrates with the IdPs that you register to ensure the proper identification of external client apps’ users. Then, these users, known as resource owners in the OAuth context, authorize client apps to access their data.

The third available flow, client credentials, is much simpler and lets trusted client apps request an access token directly from the Authorization Server and use the token to access protected resources.

See the following sections to learn about each flow’s use case, typical Authorization Server response, and a detail overview of the authorization process:

Benefits

The Authorization Server provides the following benefits:
  • You don’t have to set up your own OAuth 2.0 provider to authorize client apps.
  • You can define the scopes that determine how client apps’ can access your API resources.
  • You don’t share usernames or passwords with client apps which makes your resource server less vulnerable to security threats.
  • You can easily revoke an individual client app’s access at any time.

Actors

To fully understand Akamai’s OAuth 2.0 implementation, ensure that you are familiar with how the traditional OAuth 2.0 roles correspond to the parties involved in API traffic at Akamai.
Resource owner
A user that intends to use a client app and whose data you store in your API in the form of API resources. As an API publisher, you control which client apps can access the resources and which IdPs can verify the identity of resource owners.
Resource server
The origin server that hosts your APIs.
Client app
A third-party mobile or web application that consumes resources within your API.
Authorization server
Akamai Authorization Server that integrates with IdPs to verify resource owners’ identity and provides access tokens and refresh tokens to client apps.
Identity provider
An entity that stores resource owners’ information and verifies their identity. Based on IdP-issued authorization grants, the Authorization Server creates access tokens and refresh tokens.