API Gateway OAuth 2.0 Introduction


The Oracle API Gateway can be used as an OAuth Authorization Server and as an OAuth Resource Server. The Authorization Server issues tokens to clients on behalf of a Resource Owner for use in authenticating subsequent API calls to the Resource Server.

You should be familiar with the terms and concepts of The OAuth 2.0 Authorization Framework specification:


API Gateway OAuth Components

The API Gateway ships with the following features to support OAuth 2.0:

  • Client application registration

  • Generation of access tokens and authorization codes

  • Support for the following OAuth flows:

    • Authorization Code

    • Implicit Grant

    • Resource Owner Password Credentials

    • Client Credentials

    • JWT

    • Refresh Token

    • Revoke Token

    • Token Information Service

  • Sample clients for all of the above scenarios

OAuth 2.0 Definitions

The API Gateway uses the following definitions of basic OAuth 2.0 terms:

Resource Owner: An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end user.

Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

Client: An application making protected requests on behalf of the resource owner and with its authorization.

Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

OAuth 2.0 Authentication Flows

The API Gateway supports the following authentication flows:

OAuth 2.0 Authorization Code Grant (Web Server): The Web server authentication flow is used by applications that are hosted on a secure server. A critical aspect of the Web server flow is that the server must be able to protect the issued client application's secret.

OAuth 2.0 Implicit Grant (User-Agent): The user-agent authentication flow is used by client applications residing in the user's device. This could be implemented in a browser using a scripting language such as JavaScript or Flash. These clients cannot keep the client secret confidential.

OAuth 2.0 Resource Owner Password Credentials: This username-password authentication flow can be used when the client application already has the resource owner's credentials.

OAuth 2.0 Client Credentials: This username-password flow is used when the client application needs to directly access its own resources on the resource server. Only the client application's credentials are used in this flow. The resource owner's credentials are not required.

OAuth 2.0 JWT: This flow is similar to OAuth 2.0 Client Credentials. A JSON Web Token (JWT) is a JSON-based security token encoding that enables identity and security information to be shared across security domains.

OAuth 2.0 Refresh Token: After the consumer has been authorized for access, it can use a refresh token to get a new access token. This is only done after the consumer already has received an access token using the Authorization Code Grant or Resource Owner Password Credentials Grant flow.

OAuth 2.0 Revoke Token: A revoke token request causes the removal of the client permissions associated with the particular token to access the end-user's protected resources.

OAuth 2.0 Token Information Service: The OAuth Token Info service responds to requests for information on a specified OAuth 2.0 access token.

Further Information

For more details on the API Gateway OAuth 2.0 support, see the following topics:

For more details on OAuth 2.0, see The OAuth 2.0 Authorization Framework: