Oauth api protection has been a hot topic at work, I wanted to make sure I had a firm understanding over and above google.
You can download the demo application I created based on blog from
I’ve converted the original application to use CXF, as well as using Jetty and some more visual demos. It provides some integration tests to show a CXF client
- getting a code that has scope to call 2 out of the apis.
- getting an access_token with scope to call 1 api
- getting an access_token with scope to call all 2 out of the 3 apis
- calling the api’s with access_token
to run the integration tests issue maven command
mvn clean package jetty:run
then visit http://127.0.0.1:8080/application
The HTML is simply something to show a possible flow with oauth2. It isn’t secure, this is a demo
The page “http://127.0.0.1:8080/application”
is a fictitious 3rd party who wants to access some API’s you provide to customers.
Click on the top bar “Authorise” and it will redirect the browser to the API authentication page. Here the customer would grant the 3rd party access to some or all of the resources.
if this was a full application the customer would have authenticated with username/password onto API provider website.
From the 3 check boxes select an API. I picked 2
when i tried to call API 1 it denied the request. But when I tried API 2 I was permitted to call the API
Of course as it’s oauth access_token the token will expire. In the case of the demo it is 30 seconds.
The 3rd party has been granted by the customer long term (well 60 seconds for this demo) to some of a customers resources. The access_token is a temporary token to get access to one or more of these resources.
I see its use as
3rd party must be given a client_id and client_secret by API provider or they can do nothing. If this is revoked 3rd party can do nothing.
3rd party must be granted by the customer of the API specific access to their API’s, these may provide personal data or allow an action to be performed on behalf of the customer. Something that would be done infrequently.
3rd party gets an access_token to provide day to day calls to the APIs.