Configuring a third-party OAuth provider
Enter the secure endpoints to provide OAuth authentication from a third party.
About this task
One of the following roles is required to configure OAuth Providers:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings:Manage permissions
Procedure
Complete the following steps to configure a third party OAuth provider:
- In the Cloud Manager, click Resources.
-
Select OAuth Providers > Add > Third party OAuth Provider.
-
Complete the following parameters for the first screen and click
Next.
Field Description Title Enter a descriptive title for the gateway service. This title will be displayed on the screen. Name This field is auto-populated by the system and used as the internal field name. Supported grant types Select from the following options: - Implicit: An access token is returned immediately without an extra authorization code exchange step.
- Application: Application to application. Corresponds to the OAuth grant type Client Credentials. Does not require User Security.
- Access code: An authorization code is extracted from a URL and exchanged for an access code. Corresponds to the OAuth grant type Authorization Code.
- Resource owner - Password: The user's username and password are exchanged directly for an access token, so can only be used by first-party clients.
- Resource owner - JWT: a JSON Web Token (JWT)
Bearer Token is used as a means for requesting an OAuth 2.0 access token, and for client
authentication, as defined by the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization
Grants.Note: To use the Resource owner - JWT option, complete the following steps:
- In the Supported grant types field, select both Resource owner - Password and Resource owner - JWT.
- Edit the API definition and add a security scheme that specifies oauth2
as the security definition type and select Resource owner - Password as the
flow type.
For instructions on defining an OAuth2 security scheme for an API, see Defining OAuth2 security scheme components (OpenAPI 3) or Defining OAuth2 security schemes (OpenAPI 2).
Gateway type Select the gateway type, either DataPower® Gateway (v5 compatible) or DataPower API Gateway. For information about types of gateways, see API Connect gateway types. OAuth Providers apply to one gateway type.
-
Specify configuration settings for the endpoints, and then click
Next.
Field Description Authorization URL An authorization URL where the resource owner grants authorization to the client application to access a protected resource. Example:
https://example.com/oauth2/authorize
Token URL A token request URL where the client application exchanges an authorization grant for an access token. Example:
https://example.com/oauth2/token
Introspect URL The introspection URL is where the API gateway validates the access tokens that are issued by the third party provider. Example:
For more information on integrating third party OAuth providers for introspection, see OAuth introspection for third-party OAuth providers.https://example.com/oauth2/introspect
Introspect cache type The cache type determines how long responses from the third party provider are cached, if at all. Select one of the following options: - No cache (default): Responses are not cached.
- Protocol: Defined by the
cache-control
header in the provider response. - Time to live: Defined by the provider.
Cache Time to Live The length of time, in seconds, for which provider responses are cached, if the Introspect cache type is set to Time to live. The default value is 900. TLS Profile (optional) Select an optional TLS profile for communicating with the third party provider. Security Default is Basic Authentication. Basic authentication request header name The x-introspect-basic-authorization-header is available to provide a user-configured HTTP Basic authorization header. Basic authentication username (optional) The default user name for HTTP Basic authentication. Basic authentication password (optional) The default password for HTTP Basic authentication. Token validation Specifies the method used to determine the success of the introspection request that is sent to the third party service to validate the provided token. Select one of the following options: - Connected: The query is successful if the status return code is
200
. - Active (default): The query is successful if the status return code is
200
and the response JSON body includes the propertyactive: true
.
Custom header pattern (optional) A regular expression for request headers that are to be passed to the third-party provider; for example, x-Introspect-*. Authorization header pass through Select this check box if you want to retain the Authorization
header for a bearer token. The default behavior is to remove this header. -
Enter the scopes in the third screen. A scope becomes an option in the request and response for
an access token. Click Add to add additional fields for scopes. Click
Next when done.
Field Description sample_scope_1 Scope for token sample_scope_2 Scope for token additional scopes Scope for token - Review the settings on the Summary panel.
-
Complete the following parameters for the first screen and click
Next.
-
Click Save and Edit to complete the configuration.
If you want to specify the third party OAuth Provider in your Catalog, see Specifying the OAuth Providers.