Sample OAuth flow

The OAuth authentication supported by Security Verify Access is OAuth version 2.0. The method of providing the access token is through an HTTP header named Authorization. Other forms of providing the access token are not supported. Here is a typical work flow to make use of OAuth authentication.

1. Acquire an access token from the OAuth server.

   Using curl, this could be accomplished as follows:

   curl -k -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" 
   -d "grant_type=client_credentials&client_id=<CLIENT_ID>
   &client_secret=<CLIENT_SECRET>&redirect_uri=" 
   https://<WEBSEAL_SERVER>/mga/sps/oauth/oauth20/token

   Where:

   • CLIENT_ID is the client ID that is created in the API Protection portion of the appliance LMI.
   • CLIENT_SECRET is the secret associated with the client created in the API Protection portion of the appliance LMI.

   The curl call above would return output resembling the following result:

   {"expires_in":3599,"access_token":"iCIFH6k7KUq0oP55ZZFd",
   "token_type":"bearer","scope":""}

   Note that the returned result contains the access_token and its value, which is obtained from the OAuth server.
2. Access an API-protected resource.

   Using curl, this could be accomplished as follows:

   curl  -k -c auth.txt -H "Authorization: Bearer iCIFH6k7KUq0oP55ZZFd" 
   https://<WEBSEAL_SERVER>/<API_protected resource>

   Notice the HTTP header provided, named Authorization. The value of this header is the key word Bearer followed by the access_token that was obtained in Step 1. This access token is fed to the OAuth server and will allow the HTTP request to be satisfied for the API-protected resource.