OAuth protocol support

The DataPower® Gateway supports the IETF Open Authorization (OAuth) 2.0 protocol. Using the OAuth protocol decreases the need to share your credentials with third parties. When implemented, the third party can access your resources on your behalf.

When you configuring the DataPower Gateway to support the OAuth protocol, define the following behavior.
  • What grant types the OAuth client supports.
  • What role the OAuth client is acting as.

For information about the OAuth 2.0 protocol, see draft 2-31 of the OAuth 2.0 Authorization Framework IETF specification.

Tip

When you use the OAuth protocol, remember the following details.
  • In OAuth processing, the actor that submits the request is either the resource owner or the OAuth client.
  • When you define an OAuth client profile for DataPower integration, the configured name is the client ID. In the specification, the client ID is client_id.
  • Defining an OAuth client profile with the client_id is equivalent to registering an OAuth client with the DataPower Gateway.
  • The OAuth client profiles in an OAuth client group are the OAuth clients that the DataPower Gateway accepts requests from. The client group is part of the AAA policy configuration.
  • The DataPower Gateway is not the OAuth client. The DataPower Gateway serves one of the following roles.
    • The role of authorization server endpoints: authorization endpoint and token endpoint
    • The role of the enforcement point for a resource server
    • The roles of authorization server endpoints and the enforcement point

    The role of the DataPower Gateway is based on the configuration of OAuth client profiles

To use the OAuth protocol, you must configure an AAA policy. The AAA policy must be defined in a processing rule of one of two services: Web Token Service or Multi-Protocol Gateway. After successfully generating an access token, processing returns a node set that becomes part of the JSON object that contains the access token and optionally a refresh token.

  • When configured through a Web Token Service, the service provides the following ability.
    • Supports authorization server endpoints
  • When configured through a Multi-Protocol Gateway, the service provides the following abilities.
    • Authorization server endpoints
    • Enforcement point for resource servers