oauth

Oauth api protection has been a hot topic at work, I wanted to make sure I had a firm understanding over and above google.

I found this excellent blog  steeplesoft and had a play with the sample code. It is based on Apache Oltu

You can download the demo application I created based on blog from

https://github.com/bernardjason/playing-with-oauth2.git

I’ve converted the original application to use CXF, as well as using Jetty and some more visual demos. It provides some integration tests to show a CXF client

  • getting a code that has scope to call 2 out of the apis.
  • getting an access_token with scope to call 1 api
  • getting an access_token with scope to call all 2 out of the 3 apis
  • calling the api’s with access_token

to run the integration tests issue maven command

mvn clean package jetty:run

then visit http://127.0.0.1:8080/application

The HTML is simply something to show a possible flow with oauth2. It isn’t secure, this is a demo

The page “http://127.0.0.1:8080/application”

 

is a fictitious 3rd party who wants to access some API’s you provide to customers.

  • /api/demo/1
  • /api/demo/2
  • /api/demo/3

Click on the top bar “Authorise” and it will redirect the browser to the API authentication page. Here the customer would grant the 3rd party access to some or all of the resources.

 

if this was a full application the customer would have authenticated with username/password onto API provider website.

From the 3 check boxes select an API. I picked 2

 

when i tried to call API 1 it denied the request. But when I tried API 2 I was permitted to call the API

Of course as it’s oauth access_token the token will expire.  In the case of the demo it is 30 seconds.

The 3rd party has been granted by the customer long term (well 60 seconds for this demo) to some of a customers resources. The access_token is a temporary token to get access to one or more of these resources.

I see its use as

3rd party must be given a client_id and client_secret by API provider or they can do nothing. If this is revoked 3rd party can do nothing.

3rd party must be granted by the customer of the API specific access to their API’s, these may provide personal data or allow an action to be performed on behalf of the customer. Something that would be done infrequently.

3rd party gets an access_token to provide day to day calls to the APIs.