OAuth Client Credential flow with API Gateway:
The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources.
The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user. The client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
Below diagram explains the client credential flow in general along with the API Gateway.
Note: The API Gateway can be AWS API Gateway or Azure API gateway or any other API gateway. The API gateway is acting as a proxy to the backend API's.
The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources.
The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user. The client needs to authenticate themselves for this request. Typically the service will allow either additional request parameters client_id and client_secret, or accept the client ID and secret in the HTTP Basic auth header.
Below diagram explains the client credential flow in general along with the API Gateway.
Note: The API Gateway can be AWS API Gateway or Azure API gateway or any other API gateway. The API gateway is acting as a proxy to the backend API's.
The client will send its client_id & shared Secret to the Authorization Server (/token Endpoint) in HTTP request & will receive the Access Token directly in HTTP response.
The same access token will be sent to the API gateway (which is proxying the backend API's. we can have the logic of validation in the API gateway & once the Access token is validated client can access the backend API's or Microservices.
Example
A sample client credential Grant Type request looks like below.
HTTP Request:
HTTP Response:
A sample HTTP response for the above request may look like this.
Access Token:
The access token which is received is a Bearer token. that means anyone who has that token can access the API. Refresh Token is optional. Refresh token has a longer life time than the Access Token.
No comments:
Post a Comment