OAuth 2.0 with IBM WebSphere DataPower

4,314 views

Published on

Quick summary of the OAuth support provided by IBM WebSphere DataPoewr

Published in: Technology

OAuth 2.0 with IBM WebSphere DataPower

  1. 1. OAuth 2.0  Client type (application type) – Confidential – Public  Grant type (handshake/dance) – authorization code – Implicit grant – client credential – resource owner password  Token : Bearer (self contained)  Extension/Customization – Added Values Allow you to share your resources with a third party application without sharing your credentials with the third party application Authorization Code Grant Type
  2. 2. Authorization Endpoint Obtain authorization/consent from end user Token Endpoint Exchange a temporary authorization for the actual access permission (in the form of access_token) Authorization Endpoint Token Endpoint DataPower Enforcement for Resource Server
  3. 3. Authorization Code
  4. 4. 4 Alice launches an application Resource Owner(Alice) OAuth 2.0 – Authorization Code authz token DataPower resource
  5. 5. 5 Resource Owner(Alice) OAuth 2.0 – Authorization Code HTTP 302 Alice is redirected to an OAuth authorization server, so user can grant access to the application. authz token DataPower resource
  6. 6. 6 Resource Owner(Alice) OAuth 2.0 – Authorization Code HTTP 302.. A temporary code is issued to the application authz token DataPower resource
  7. 7. 7 Resource Owner(Alice) OAuth 2.0 – Authorization Code HTTP Authorization: Basic client_id:client_secret Exchange temporary code for access permission authz token DataPower resource
  8. 8. 8 Resource Owner(Alice) OAuth 2.0 – Authorization Code Access resource with access_token authz token DataPower resource
  9. 9. Implicit
  10. 10. 10 Alice launches an application Resource Owner(Alice) OAuth 2.0 – Implicit authz DataPower resource
  11. 11. 11 Resource Owner(Alice) OAuth 2.0 – Implicit HTTP 302 Alice is redirected to an OAuth authorization server, so user can grant access to the application. authz DataPower resource
  12. 12. 12 Resource Owner(Alice) OAuth 2.0 – Implicit HTTP 200.. access_token is returned authz DataPower resource
  13. 13. 13 Resource Owner(Alice) OAuth 2.0 – Implicit authz DataPower resource
  14. 14. Resource Owner
  15. 15. 15 Resource Owner(Alice) OAuth 2.0 – Resource Owner authz DataPower resource request Authorization: Basic client_id:client_secret username & password response access_token=xxxx
  16. 16. 16 Resource Owner(Alice) OAuth 2.0 – Resource Owner authz DataPower resource access_token=xxxx
  17. 17. Client Credentials
  18. 18. 18 Resource Owner(Alice) OAuth 2.0 – Client Credentials authz DataPower resource request Authorization: Basic client_id:client_secret response access_token=xxxx
  19. 19. 19 Resource Owner(Alice) OAuth 2.0 – Client Credentials authz DataPower resource access_token=xxxx
  20. 20. Customization  3 DataPower grant types – Validation grant : urn:ibm:datapower:validate – Client Revoke Access grant : urn:ibm:datapower:client:revoke – Resource Owner Revoke Access grant : urn:ibm:owner:revoke  Extensibility thru different “plug points” during OAuth handshake/dance – This provides customization to the behavior of OAuth
  21. 21. Use cases
  22. 22. Resource Server DataPower DataPower access_token Authorization Server Access resources with access_token
  23. 23. Resource Server DataPower DataPower access_token Authorization Server Access resources with access_token Resource Server DataPower access_token Other Authorization Server IBM TFIM Ping Federation ? Access resources with access_token
  24. 24. Resource Server DataPower DataPower access_token Authorization Server Access resources with access_token Resource Server DataPower access_token Other Authorization Server IBM TFIM Ping Federation ? Access resources with access_token Resource Server DataPower access_token Authorization Server Access resources with access_token PEP

×