Configuring a third-party OAuth provider

Enter the secure endpoints to provide OAuth authentication from a third party.

About this task

One of the following roles is required to configure OAuth Providers:

  • Organization Administrator
  • Owner
  • Custom role with the Settings > Manage permissions

Procedure

  1. In the API Manager, click Resources Resources.
  2. Select OAuth Providers > Add > Third party OAuth Provider.
    1. Complete the following parameters for the first screen and click Next.
      Field Description
      Title Enter a descriptive title for the gateway service. This title will be displayed on the screen.
      Name This field is auto-populated by the system and used as the internal field name.
      Supported grant types Select from the following options:
      • Implicit: An access token is returned immediately without an extra authorization code exchange step.
      • Application: Application to application. Corresponds to the OAuth grant type Client Credentials. Does not require User Security.
      • Access code: An authorization code is extracted from a URL and exchanged for an access code. Corresponds to the OAuth grant type Authorization Code.
      • Resource owner - Password: The user's username and password are exchanged directly for an access token, so can only be used by first-party clients.
      • DataPower API Gateway onlyResource owner - JWT: a JSON Web Token (JWT) Bearer Token is used as a means for requesting an OAuth 2.0 access token, and for client authentication, as defined by the JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.
        Note: To use the Resource owner - JWT option, complete the following steps:
        1. In the Supported grant types field, select both Resource owner - Password and Resource owner - JWT.
        2. Edit the API definition and add a security scheme that specifies oauth2 as the security definition type and select Resource owner - Password as the flow type.

          For instructions on defining an OAuth2 security scheme for an API, see Defining OAuth2 security scheme components (OpenAPI 3) or Defining OAuth2 security schemes (OpenAPI 2).
      Gateway type Select the gateway type, either DataPower® Gateway (v5 compatible) or DataPower API Gateway.

      For information about types of gateways, see API Connect gateway types. OAuth Providers apply to one gateway type.

    2. Specify configuration settings for the endpoints, and then click Next.
      Field Description
      Authorization URL

      An authorization URL where the resource owner grants authorization to the client application to access a protected resource. Example: 

      https://example.com/oauth2/authorize
      Token URL

      A token request URL where the client application exchanges an authorization grant for an access token. Example:

      https://example.com/oauth2/token
      Introspect URL

      The introspection URL is where the API gateway validates the access tokens that are issued by the third party provider. Example:

      https://example.com/oauth2/introspect
      For more information on integrating third party OAuth providers for introspection, see OAuth introspection for third-party OAuth providers.
      DataPower API Gateway onlyIntrospect cache type The cache type determines how long responses from the third party provider are cached, if at all. Select one of the following options:
      • No cache (default): Responses are not cached.
      • Protocol: Defined by the cache-control header in the provider response.
      • Time to live: Defined by the provider.
      DataPower API Gateway onlyCache Time to Live The length of time, in seconds, for which provider responses are cached, if the Introspect cache type is set to Time to live. The default value is 900.
      TLS Profile (optional) Select an optional TLS profile for communicating with the third party provider.
      Security Default is Basic Authentication.
      Basic authentication request header name The x-introspect-basic-authorization-header is available to provide a user-configured HTTP Basic authorization header.
      DataPower API Gateway onlyBasic authentication username (optional) The default user name for HTTP Basic authentication.
      DataPower API Gateway onlyBasic authentication password (optional) The default password for HTTP Basic authentication.
      DataPower API Gateway onlyToken validation Specifies the method used to determine the success of the introspection request that is sent to the third party service to validate the provided token. Select one of the following options:
      • Connected: The query is successful if the status return code is 200.
      • Active (default): The query is successful if the status return code is 200 and the response JSON body includes the property active: true.
      DataPower API Gateway onlyCustom header pattern (optional) A regular expression for request headers that are to be passed to the third-party provider; for example, x-Introspect-*.
      DataPower API Gateway onlyAuthorization header pass through Select this check box if you want to retain the Authorization header for a bearer token. The default behavior is to remove this header.
    3. Enter the scopes in the third screen. A scope becomes an option in the request and response for an access token. Click Add to add additional fields for scopes. Click Next when done.
      Field Description
      sample_scope_1 Scope for token
      sample_scope_2 Scope for token
      additional scopes Scope for token
    4. Review the settings on the Summary panel.
  3. Click Save and Edit to complete the configuration.