Securing API using OAuth2 Authentication with refresh token

Edit online

About this task

When using the authorization code grant type to get the access token, you need to get the permission from the resource owners at least for the first time. In the subsequent attempts to get the access token, if you do not want to get the permission from the resource owners, then you can use the refresh token. This use case explains how to secure the API using OAuth2 authentication strategy. It also explains the refresh token workflow in detail.

This use case explains how to secure the API using OAuth2 authentication strategy with authorization_code and refresh_token grant types.

Procedure

  1. Create an API. For details about creating an API, see Define and manage APIs.
  2. Enable the OAuth2 token identification type in the Identify & Authorize policy. For details about Identify & Authorize policy, see Identify and Authorize.
  3. Create OAuth scope in the local authorization server.
  4. Map the OAuth scope to the API scope. For details about mapping OAuth scope, see Mapping OAuth or OpenID scopes.
  5. Create an application with OAuth2 authentication strategy.
    1. Create a new application.

      For details about creating an application, see Creating an application.

    2. Associate the application with the API that you have created.
    3. Click the Authentication tab to create strategy with OAuth2 authentication.
    4. Select the Authentication schemes as OAUTH2.
    5. Specify the Authentication server as local.
    6. Enable the Generate credentials toggle button to generate the client dynamically in the authorization server and provide the following information.
      1. Select the Application Type as Confidential. A confidential client is an application that can keep a client password confidential to the world. This client password is assigned to the client app by the authorization server. This password is used to identify the client to the authorization server, to avoid fraud. An example of a confidential client could be a web app, where no one but the administrator can get access to the server, and see the client password.
      2. Select the application profile from the Application profile menu. For example, web.
      3. Specify the duration in seconds for which the access token is active in the Token lifetime (seconds).
      4. Specify the number of times you can use the refresh token in the Token refresh limit to get a new access token.
        Note: To use refresh token unlimitedly, specify the limit as -1.
      5. Specify the URIs that the authorization server can use to redirect the resource owner's browser during the grant process. You can add multiple URIs by clicking +Add.
      6. Specify the grant type to be used to generate the credentials. For this specific use case, select authorization code, client_credentials, and refresh_token, which are dynamically populated from the authorization server.
        Note: Make sure you select refresh_token grant_type, if you want to get the refresh tokens.
      7. Select the scopes that are to be mapped for the authentication strategy.
      8. Click Add to save the strategy.
      9. Click Save to save the application.