OAuth 2.0 (beta)
OAuth 2.0 is an open standard (RFC 6749) for enabling third-party client
apps to access a user’s protected resources residing on a resource server. You can implement
OAuth 2.0 in your system and let Akamai act as an authorization server that authorizes
client apps to access your API content.
OAuth 2.0 overview In API Gateway’s OAuth 2.0 implementation, Akamai acts as an authorization server. It ensures the proper authorization of external web or mobile client apps that request resources from your registered APIs. Authorization Server also interacts with identity providers (IdPs) that you register with Akamai to verify resource owners’ identity. OAuth 2.0 endpoints The Authorization Server provides a set of endpoints that client apps can use for different operations during the OAuth flows. An authorization endpoint lets client apps initialize an OAuth flow. A token endpoint facilitates an exchange of an authorization code for access and refresh tokens. A revocation endpoint provides a way to revoke a refresh token. OAuth 2.0 tokens In OAuth 2.0, the Authorization Server issues access tokens to client apps that want to access resources in your registered APIs. In the authorization code grant flow, the Authorization Server’s response for each access token also includes a refresh token that client apps use to generate new access tokens. Supported OAuth 2.0 flows The Authorization Server supports three authorization grant flows in relation to client apps requesting a token: an implicit grant flow, an authorization code grant flow, and a client credentials flow. You can associate a client app with each of these flows in the Client apps section of OAuth Management. Set up OAuth 2.0 To successfully set up OAuth 2.0 in your system, you need to configure scopes to allow client apps access to your resource server, register at least one identity provider that stores resource owners’ credentials, and register client apps. To ensure that the setup is correct, complete it in the recommended order outlined below. OAuth 2.0 scopes OAuth scopes specify the extent of an access token’s usefulness by providing a way to limit its access level. A scope defines what an access token can do, and what resources it can access. Identity provider management On the Identity providers tab in OAuth Management, you register identity providers (IdPs) with Akamai so that the Authorization Server can integrate with these IdPs to verify the identity of client apps’ users. You can register OpenID Connect-compliant providers, OAuth 2.0-compliant providers, and providers compliant with both of these standards. Before you engage in the IdP registration process, you should provide the details about the Authorization Server to the IdP that you intend to register. Client app management On the Client apps tab in OAuth Management, you enter details of client apps that you want to have access to your registered APIs. After you enter client app details, the Authorization Server generates a client ID and client secret. Whenever a client app makes a request to a resource within your registered APIs, the Authorization Server validates that request against the information present in OAuth Management. If any of the details such as client ID, client secret, or redirect URI does not match in an inbound request, the Authorization Server rejects the request.