Configuring a third-party OAuth provider
Enter the secure endpoints to provide OAuth authentication from a third party.
About this task
One of the following roles is required to configure OAuth Providers:
- Topology Administrator
- Custom role with the Settings:Manage permissions
Complete the following steps to configure a third party OAuth provider:
- In the Cloud Manager, click Resources.
Complete the following parameters for the first screen and click
Field Description Title Enter a descriptive title for the gateway service. This title will be displayed on the screen. Name This field is auto-populated by the system and used as the internal field name. Supported grant types Select from the following options:
- Implicit: An access token is returned immediately without an extra authorization code exchange step.
- Application: Application to application. Corresponds to the OAuth grant type Client Credentials. Does not require User Security.
- Access code: An authorization code is extracted from a URL and exchanged for an access code. Corresponds to the OAuth grant type Authorization Code.
- Resource owner - Password: The user's username and password are exchanged directly for an access token, so can only be used by first-party clients.
- Resource owner - JWT: a JSON Web Token (JWT) Bearer Token is used as a means for requesting an OAuth 2.0 access token, and for client authentication, as defined by the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.
Gateway type Select the gateway type, either DataPower® Gateway (v5 compatible) or DataPower API Gateway.
For information about types of gateways, see API Connect gateway types.OAuth Providers apply to one gateway type.
Specify configuration settings for the endpoints.
Field Description Authorization URL
An authorization URL where the resource owner grants authorization to the client application to access a protected resource. Example:
A token request URL where the client application exchanges an authorization grant for an access token. Example:
The introspection URL is where the API gateway validates the access tokens that are issued by the third party provider. Example:
For more information on integrating third party OAuth providers for introspection, see OAuth introspection for third-party OAuth providers.
Introspect cache type The cache type determines how long responses from the third party provider are cached, if at all. Select one of the following options:
- No cache (default): Responses are not cached.
- Protocol: Defined by the
cache-controlheader in the provider response.
- Time to live: Defined by the provider.
Cache Time to Live The length of time, in seconds, for which provider responses are cached, if the Introspect cache type is set to Time to live. The default value is 900. TLS Profile (optional) Select an optional TLS profile for communicating with the third party provider. Security Default is Basic Authentication. Basic authentication request header name The x-introspect-basic-authorization-header is available to provide a user-configured HTTP Basic authorization header. Basic authentication username (optional) The default user name for HTTP Basic authentication. Basic authentication password (optional) The default password for HTTP Basic authentication. Token validation Specifies the method used to determine the success of the introspection request that is sent to the third party service to validate the provided token. Select one of the following options:
- Connected: The query is successful if the status return code is
- Active (default): The query is successful if the status return code is
200and the response JSON body includes the property
Custom header pattern (optional) A regular expression for request headers that are to be passed to the third-party provider; for example, x-Introspect-*. Authorization header pass through Select this check box if you want to retain the
Authorizationheader for a bearer token. The default behavior is to remove this header.
Enter the scopes in the third screen. A scope becomes an option in the request and response for
an access token. Click Add to add additional fields for scopes. Click
Next when done.
Field Description sample_scope_1 Scope for token sample_scope_2 Scope for token additional scopes Scope for token
- Review the settings on the Summary panel.
- Complete the following parameters for the first screen and click Next.
- Click Save and Edit to complete the configuration.