OAuth: Client Authentication with the Platform's OAuth Provider
This topic provides information and examples for authenticating when using the platform's OAuth Provider. It includes:
- Types of OAuth Clients supported
- Confidential Clients: Types of authentication supported
- Requesting an access token using the Authorization Code grant type
- Requesting an access token using the Client Credentials grant type
- Requesting an access token using the Resource Owner Password Credentials grant type
- Requesting an access token using a Refresh Token grant type
- Requesting an access token using a JWT Bearer Assertion grant type
- Access token response
Types of OAuth Clients supported
There are two types of OAuth client supported by the platform’s OAuth Provider:
- Public: Public clients are those clients that do not need to be authenticated in order to obtain access tokens.
- Confidential: All confidential clients must be authenticated at the Token API to obtain an access token, using one of the supported authentication methods given below.
Confidential Clients: Types of authentication supported
All confidential clients must be authenticated at the Token API to obtain an access token. The platform's OAuth 2.0 Token API supports the following authentication methods:
HTTP Basic Authentication
Basic authentication requires that users provide a valid user name and password to access content. All major browsers support this authentication method and it works across firewalls and proxy servers. The disadvantage of Basic authentication is that it transmits passwords across the network using weak encryption. You should use Basic authentication only when you know that the connection between the client and the server is secure.
With HTTP Basic authentication, the client sends its credentials via an HTTP Authorization Header with scheme Basic as shown in the example below.
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Form-Based Authentication
Form-based authentication works well for sites or applications on public web servers that receive many requests.
With this type of authentication, the client sends its credentials as part of the parameters. Depending on the HTTP method used to invoke the token API, the credentials might be sent in either of these ways:
- query parameters
- form-post
An example is below.
client_id=[Client ID]&client_secret=[Client shared secret]
HTTPS 2-way Authentication
HTPS 2-way authentication requires that both the client and server authenticate each other with certificates.
To use this form of authentication, the client must access the Token API over HTTPS. The client must send its X509 certificate as the client cert during HTTPS negotiation. The Authorization Server uses the client certificate to identify the client uniquely within the platform, thus completing the authentication.
JWT Authentication
JWT Authentication is an extension mechanism in which JWT assertion will be used as client credentials. The client must include the assertion and related information using the following HTTP request parameters.
| Parameter | Description |
|---|---|
| client_assertion_type | The format of the assertion as identified by the Authorization Server. The value must be set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer. |
| client_assertion | The assertion being used to authenticate the client. Only JWT compact serialization is allowed. |
The JWT assertion must be signed using a symmetric signature algorithm or an asymmetric signature algorithm.
If the Client chooses to sign the JWT using a symmetric signature algorithm such as HS256, the client secret must be used as the cryptographic key.
If the Client signs the JWT using an asymmetric signature algorithm such as RS256, the client must use its private key as the cryptographic key and must upload the corresponding public key certificate in the Akana platform so as to verify the signatures at the Token API.
Below is an example of a JWT token (decoded form) used for client credentials.
JWT token header:
{
"alg": "HS256"
}
JWT token body:
{
"exp": 1436268156,
"sub": "devconsole",
"nbf": 1436267256,
"aud": [
"http://acmepaymentscorp/oauth/oauth20/token"
],
"iss": "devconsole",
"jti": "ffr45freui360aseqdh5",
"iat": 1436267256
}
JWT token signature:
IFlwboCnB50gCMgAa3jC42kKppRvuHitN-j3vYuxG48
Example JWT token in compact serialization form
eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0MzYyNjgxNTYsInN1YiI6ImRldmNvbnNvbGUiLCJuYmYiO jE0MzYyNjcyNTYsImF1ZCI6WyJodHRwOlwvXC9hYnVqYWdvbmRhLTY0MzA6OTkwMFwvb2F1dGhcL29 hdXRoMjBcL3Rva2VuIl0sImlzcyI6ImRldmNvbnNvbGUiLCJqdGkiOiJmZnI0NWZyZXVpMzYwYXNlc WRoNSIsImlhdCI6MTQzNjI2NzI1Nn0.IFlwboCnB50gCMgAa3jC42kKppRvuHitN-j3vYuxG48
Example token request using a JWT assertion as client credentials
grant_type=authorization_code&code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4 &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer &client_assertion=eyJhbGciO...[omitted for brevity]...48
Requesting an access token using the Authorization Code Grant Type
Operation: POST /oauth/oauth10/token or GET /oauth/oauth10/token.
To request an access token using the Authorization Code grant type, the client must have already obtained the Authorization Code from the authorization server.
An Authorization Code is a short-lived token issued to the client application by the authorization server upon successful authentication/authorization of an end-user (resource owner). The client application then uses the authorization code to request an access token from the authorization server.
Request
| Header | Description |
|---|---|
| URL | {oauth-provider-base-url}/oauth/oauth20/token |
| Action | GET/POST |
| Request Headers | Accept: application/json |
Request Parameters
| Header | Description |
|---|---|
| client_id | Unique identifier of the client application. |
| client_secret | The client secret value; this value identifies the client with the provider. |
| grant_type | The grant type. The value must be set to authorization_code. |
| code |
The authorization code. It is the authorization code that was previously received by the client application after user authentication.. |
| redirect_uri |
OAuth 2.0: standard redirect_uri parameter. The redirect URI configured by the app. For more information, see OAuth Parameters. It is the redirect URI where the client received the authorization code. |
| X_proxy_azp_client_id | Optionally, the client can send this parameter with the value of actual authorized party so it will be used in the ID token claims azp and aud. |
Example
client_id=xyzclient&client_secret=xyzsecret&grant_type=authorization_code &code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Requesting an access token using the Client Credentials Grant Type
The client can request an access token using only its client credentials (or other supported means of authentication; refer to Confidential Clients: Types of Authentication Supported above) when the client is requesting access to the protected resources under its control.
Request
| Header | Description |
|---|---|
| URL | {oauth-provider-base-url}/oauth/oauth20/token |
| Action | GET/POST |
| Request Headers | Accept: application/json |
Request Parameters
| Header | Description |
|---|---|
| client_id | Unique identifier of the client application. |
| client_secret | The client secret value; this value identifies the client with the provider. |
| grant_type | The grant type. The value must be set to client_credentials. |
| scope |
OAuth 2.0: standard scope parameter. One or more scopes configured in the OAuth provider. Space separator for multiple scopes. The scope of the access request. |
Example
client_id=xyzclient&client_secret=xyzsecret&grant_type=client_credentials&scope=READ%20profile%20email
Requesting an access token using the Resource Owner Password Credentials Grant Type
To request an access token using the Resource Owner Password Credentials grant type, the client must already have the password credentials from the resource owner.
This grant type is suitable for clients capable of obtaining the resource owner's credentials (username and password, typically using an interactive form).
Request
| Header | Description |
|---|---|
| URL | {oauth-provider-base-url}/oauth/oauth20/token |
| Action | GET/POST |
| Request Headers | Accept: application/json |
Request Parameters
| Header | Description |
|---|---|
| client_id | Unique identifier of the client application. |
| client_secret | The client secret value; this value identifies the client with the provider. |
| grant_type | The grant type. The value must be set to password. |
| username | The resource owner's username.The resource owner's username. |
| password | The resource owner's password. |
| scope |
OAuth 2.0: standard scope parameter. One or more scopes configured in the OAuth provider. Space separator for multiple scopes. The scope of the access request. |
Example
client_id=xyzclient&client_secret=xyzsecret&grant_type=password&username=jdoe&password=s3cret&scope=READ%20profile%20email
Requesting an access token using the Refresh Token Grant Type
To request for access token using the refresh token grant type, the client must have already obtained the refresh token from the authorization server.
A Refresh Token is a credential used to obtain an access token from an authorization server. Refresh tokens are issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires.
A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information.
Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers.
Request
| Header | Description |
|---|---|
| URL | {oauth-provider-base-url}/oauth/oauth20/token |
| Action | GET/POST |
| Request Headers | Accept: application/json |
Request Parameters
| Header | Description |
|---|---|
| client_id | Unique identifier of the client application. |
| client_secret | The client secret value; this value identifies the client with the provider. |
| grant_type | The grant type. The value must be set to refresh_token. |
| refresh_token | The refresh token. |
Example
client_id=xyzclient&client_secret=xyzsecret&grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
Requesting an access token using the JWT Bearer Assertion Grant Type
To request an access token using this grant type, the client must have already obtained the JWT Assertion from an issuer.
Upon successful validation of the JWT assertion, The authorization server issues an access token to the client.
Request
| Header | Description |
|---|---|
| URL | {oauth-provider-base-url}/oauth/oauth20/token |
| Action | GET/POST |
| Request Headers | Accept: application/json |
Request Parameters
| Header | Description |
|---|---|
| client_id | Unique identifier of the client application. |
| client_secret | The client secret value; this value identifies the client with the provider. |
| grant_type | The grant type. The value must be set to urn:ietf:params:oauth:grant-type:jwt-bearer. |
| refresh_token | The refresh token. |
| assertion | JWT Bearer Assertion grant type only: The JWT Bearer Assertion. |
Example
client_id=xyzclient&client_secret=xyzsecret&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer &assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ. ewogImlzc [...omitted for brevity...].ggW8hZ1EuVLux[...omitted for brevity...]
Access token response
The response is the access token.
Sample Response
{
"access_token": "SlAV32hkKG",
"token_type": "Bearer",
"refresh_token": "8xLOxBtZp8",
"expires_in": 3600,
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzc
yI6ICJodHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5
NzYxMDAxIiwKICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZ
fV3pBMk1qIiwKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5Nz
AKfQ.ggW8hZ1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6q
Jp6IcmD3HP99Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJ
NqeGpe-gccMg4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7Tpd
QyHE5lcMiKPXfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoS
K5hoDalrcvRYLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4
XUVrWOLrLl0nx7RkKU8NXNHq-rvKMzqg"
}
The access token response includes the following information:
Response Parameters
| Parameter | Description |
|---|---|
| access_token | The access token. |
| token_type | The token type. Values supported by the platform's OAuth Provider: Bearer or MAC. |
| refresh_token | The Refresh Token. Refresh tokens may be issued to the client by the authorization server and are used to obtain a new access token when the current access token becomes invalid or expires. A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers. |
| expires_in | The lifetime in seconds of the access token. |
| id_token | The ID Token. The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JWT. |