December 5th, 2011

OAuth 2.0 with Layer 7 Gateways, Tutorial 2: The Authorization Code Grant Type

OAuth Tutorial 2Last week, I introduced my new series of video tutorials designed to demonstrate how Layer 7 Gateways can be used to implement OAuth. For the second tutorial in the series, I tackle how the authorization code grant type is used and how it can be adapted to suit your own requirements.

To give you a general idea of what we’re dealing with in this tutorial, here’s a quick overview of how the authorization code grant type works:

  • The resource owner is redirected by the client application to the OAuth authorization server, to express authorization (authorization endpoint)
  • The OAuth authorization server redirects the resource owner back to the client application, along with an authorization code
  • The client application  presents this code to the OAuth authorization server (token endpoint), along with its credentials, and gets an OAuth access token
  • The client uses the access token to call the service on behalf of the resource owner (optionally the client can use a refresh token to extend the session)

For more information on the workings of the authorization grant type, watch my tutorial video below. Next week, we’ll be looking at the implicit grant type. In the mean time, for broader insight into how Layer 7’s SecureSpan and CloudSpan Gateways enable OAuth, read up on the Layer 7 OAuth Toolkit.

Tutorial 2: The Authorization Code Grant Type

December 2nd, 2011

FROM THE VAULT: Webinar – Managing API Security in SaaS & Cloud presented with the Cloud Security Alliance

Managing API SecurityThis week’s dip into the Layer 7 archive provides real-world advice on how providers of Cloud services can securely expose their APIs to third-party developers. Featuring input from eBay Chief Security Strategist Liam Lynch, Managing API Security in SaaS & Cloud will definitely be of interest to anyone who enjoyed our recent Webinar with Best Buy and Amazon Web Services.

For Cloud providers, API publishing has become critical to enabling integration with enterprise systems, sharing information across affiliate Web sites and providing mobile access to services. Of course, Cloud computing and API publishing create all sorts of new security concerns, which is where secure integration providers like Layer 7 come in.

This webinar was co-presented with our friends at the Cloud Security Alliance but it’s about more than just security. A truly safe and secure API publishing programming will have to tackle the full range of API management concerns. Specifically, Cloud API publishers need ways to address versioning and to meter consumption without burdening either developers or consumers.

To find out more, you can read about the webinar on the Layer 7 Web site or simply watch the recording in the player below.