December 5th, 2011

OAuth 2.0 with Layer 7 Gateways, Tutorial 2: The Authorization Code Grant Type

OAuth Tutorial 2Last week, I introduced my new series of video tutorials designed to demonstrate how Layer 7 Gateways can be used to implement OAuth. For the second tutorial in the series, I tackle how the authorization code grant type is used and how it can be adapted to suit your own requirements.

To give you a general idea of what we’re dealing with in this tutorial, here’s a quick overview of how the authorization code grant type works:

  • The resource owner is redirected by the client application to the OAuth authorization server, to express authorization (authorization endpoint)
  • The OAuth authorization server redirects the resource owner back to the client application, along with an authorization code
  • The client application  presents this code to the OAuth authorization server (token endpoint), along with its credentials, and gets an OAuth access token
  • The client uses the access token to call the service on behalf of the resource owner (optionally the client can use a refresh token to extend the session)

For more information on the workings of the authorization grant type, watch my tutorial video below. Next week, we’ll be looking at the implicit grant type. In the mean time, for broader insight into how Layer 7’s SecureSpan and CloudSpan Gateways enable OAuth, read up on the Layer 7 OAuth Toolkit.

Tutorial 2: The Authorization Code Grant Type

November 28th, 2011

New Tutorial Series: OAuth 2.0 with Layer 7 Gateways

Layer 7 OAuth Tutorial 1OAuth is fast becoming the most widely recognized standard for access control with REST and Web APIs. And OAuth 2.0 – the latest version of the protocol – is impressively rich, with many grant types addressing many use cases (two-legged, three-legged, with or without redirection etc).

I recently launched a series of video tutorials in which I provide practical instructions on using OAuth with Layer 7’s SecureSpan and CloudSpan Gateways. Layer 7’s OAuth 2.0 template implementation provides a standard-compliant OAuth solution to which you integrate your API, identity providers, API keys and so forth.

The Layer 7 OAuth Toolkit also includes client applications for testing each grant type defined by the specification. This is very similar to what Google provides with the Google OAuth Playground. You can test the OAuth handshake and test calling an API using the access token provided by the handshake. You can also test token revocation and token refresh.

Embedded below, the first tutorial in the series – Incorporate an Existing API & Identity Provider – shows how our template allows you to leverage existing resources in an OAuth deployment.  Over the coming weeks I’ll be posting all the tutorials in the series. In the meantime, for more information on how our Gateways enable OAuth, download the OAuth Toolkit data sheet.

OAuth 2.0 with Layer 7 Gateways, Tutorial 1: Incorporate an Existing API & Identity Provider