What is OAuth 2.0
OAuth 2.0, which stands for “Open Authorization”, is an open standard and authorization protocol designed primarily to provide a standard way of granting access to a set of resources, for example, APIs. OAuth 2.0 is an authorization protocol and not an authentication protocol. It is used to grant access to resources, not to verify who someone is.
OAuth 2.0 can be used in multiple different ways such as granting access to Frends UI or management API. This course will focus on how to create APIs for your integration needs that uses OAuth 2.0. Different uses might feel confusing at first, but in the end OAuth 2.0 can be used where ever there is some information or resource that is not public.
As OAuth 2.0 is a large standard covering a vast amount of use cases and because great resources explaining all of them can easily be found on the internet, this course will only cover the basics of how it works with integration. Also, it should be highlighted that OAuth 2.0 is almost completely different from the previous OAuth 1.0 and it is not backward compatible.
OAuth 2.0 uses Access Tokens. An Access Token represents the authorization to access resources. While OAuth 2.0 doesn’t define a specific format for Access Tokens, the JSON Web Token (JWT) format is a de-facto format for them.
If you need to debug, or you are just curious about what is inside of JWT there are multiple great sites, such as jwt.io on topic.
OAuth 2.0 uses multiple different ways, called flows or grants, to transfer authorization information. Unfortunately, terminology on this subject varies between sources and implementations. However, integrations work on servers and can not show any authentication dialogs to users and are thus called headless machines. Knowing this is usually enough to choose the correct flow on a particular implementation of OAuth 2.0. Usually, the correct flow is called Client Credential Flow.
If you want to know more you can learn and test how OAuth 2.0 works on multiple great sites such as Oauth Playground and oauth.tools.
OAuth 2.0 and Frends
Unlike most other products Frends provides API Management capabilities and ways to implement those APIs. Therefore you need multiple steps to get OAuth 2.0 working in your API. The steps can be done in any order.
First, you need to publish that an API uses OAuth 2.0 as a so-called security scheme https://swagger.io/docs/specification/authentication/ for authentication and authorization. This requires adding it to the Open API Specification. We will go to the details later.
Secondly, you need to configure the identity provider so that Frends will trust tokens issued by it.
Thirdly, you need to define an API Access Policy that will implement the whole OAuth 2.0 authorization.
Finally, you need to link the API Access Policy to all APIs where to get it used.
The next article is Introduction to Defining the use of OAuth 2.0 in OpenAPI Specification