January 23rd, 2012

OAuth Tutorial: Modifying a Layer 7 OAuth 1.0a Implementation to Support Custom Requirements

Written by

Modifying OAuth for Custom RequirementsLast week, I posted a video tutorial demonstrating how Layer 7’s OAuth Toolkit makes it possible to use a SecureSpan or CloudSpan Gateway as an OAuth 1.0/1.0a Server and Client. Today, I’m going to follow that up with a tutorial on how a Layer 7 OAuth implementation can be modified to support custom requirements.

The tutorial demonstrates this thorough the addition of a new parameter, which is extracted from transaction metadata and then used to tweak the implementation. Specifically, I create a policy in which the authorization token’s lifespan is shortened if the user comes in from the browser of a mobile device.

The scenarios I’ve presented in these tutorials represent the two biggest strengths of the OAuth Toolkit – adherence to the specification when you need it and flexibility when you need that.  Our customers have taught us that every OAuth implementation is slightly different and our aim is to give them the tools they need to adapt.

January 16th, 2012

New OAuth Tutorial: Using Layer 7 as an OAuth 1.0/1.0a Server & Client

Written by

Using Layer 7 as an OAuth 1.0 ServerFrom a technical perspective, rapid adoption of the OAuth standard has resulted in something of a moving target. As the specification evolves, one company may implement OAuth 1.0a, another 2.0, while a third might go with OAuth WRAP. In addition, vague requirements in the spec often result in incompatible implementations, even of the same version.

My colleague Francois Lascelles recently launched a series of tutorial videos demonstrating how Layer 7’s OAuth Toolkit allows enterprises to use OAuth 2.0 to create some really interesting, powerful interaction scenarios.  However, the OAuth 2.0 specification isn’t 100% stable yet, so a real-world implementation must also be able to deal with 1.0a and OAuth WRAP.

For this reason, I’ve come up with a couple of additional tutorials that will demonstrate how our solution can be customized to meet changing requirements. My first tutorial, below, demonstrates a sample application using OAuth 1.0a, which exposes an interface that allows consuming applications to request access tokens and enables users to authorize those apps.

Watch this space for my second video, which will demonstrate how the OAuth Toolkit can be used to customize your implementation.

January 5th, 2012

OAuth 2.0 with Layer 7 Gateways, Tutorial 5: Leverage a CA SiteMinder Session in an OAuth 2.0 Handshake

OAuth Handshake with SiteMinderLate in 2011, we started a series of tutorials aimed at illustrating how Layer 7’s SecureSpan Gateways can be used to implement various aspects of the OAuth 2.0 specification as a means for controlling access to enterprise APIs. In this fifth OAuth-focused tutorial, we look at how you can integrate existing CA SiteMinder Single Sign-On (SSO) sessions as part of an OAuth handshake.

For situations where a service subscriber already has an SSO experience provided by CA SiteMinder, the SecureSpan Gateway can be leveraged to enable an application to consume the API on behalf of the subscriber, using OAuth. The objective is to maintain the end user’s SSO experience during the handshake while still complying with the OAuth 2.0 specification.

Tutorial 5: Leverage a CA SiteMinder Session in an OAuth 2.0 Handshake

December 5th, 2011

OAuth 2.0 with Layer 7 Gateways, Tutorial 2: The Authorization Code Grant Type

OAuth Tutorial 2Last week, I introduced my new series of video tutorials designed to demonstrate how Layer 7 Gateways can be used to implement OAuth. For the second tutorial in the series, I tackle how the authorization code grant type is used and how it can be adapted to suit your own requirements.

To give you a general idea of what we’re dealing with in this tutorial, here’s a quick overview of how the authorization code grant type works:

  • The resource owner is redirected by the client application to the OAuth authorization server, to express authorization (authorization endpoint)
  • The OAuth authorization server redirects the resource owner back to the client application, along with an authorization code
  • The client application  presents this code to the OAuth authorization server (token endpoint), along with its credentials, and gets an OAuth access token
  • The client uses the access token to call the service on behalf of the resource owner (optionally the client can use a refresh token to extend the session)

For more information on the workings of the authorization grant type, watch my tutorial video below. Next week, we’ll be looking at the implicit grant type. In the mean time, for broader insight into how Layer 7’s SecureSpan and CloudSpan Gateways enable OAuth, read up on the Layer 7 OAuth Toolkit.

Tutorial 2: The Authorization Code Grant Type

November 28th, 2011

New Tutorial Series: OAuth 2.0 with Layer 7 Gateways

Layer 7 OAuth Tutorial 1OAuth is fast becoming the most widely recognized standard for access control with REST and Web APIs. And OAuth 2.0 – the latest version of the protocol – is impressively rich, with many grant types addressing many use cases (two-legged, three-legged, with or without redirection etc).

I recently launched a series of video tutorials in which I provide practical instructions on using OAuth with Layer 7’s SecureSpan and CloudSpan Gateways. Layer 7’s OAuth 2.0 template implementation provides a standard-compliant OAuth solution to which you integrate your API, identity providers, API keys and so forth.

The Layer 7 OAuth Toolkit also includes client applications for testing each grant type defined by the specification. This is very similar to what Google provides with the Google OAuth Playground. You can test the OAuth handshake and test calling an API using the access token provided by the handshake. You can also test token revocation and token refresh.

Embedded below, the first tutorial in the series – Incorporate an Existing API & Identity Provider – shows how our template allows you to leverage existing resources in an OAuth deployment.  Over the coming weeks I’ll be posting all the tutorials in the series. In the meantime, for more information on how our Gateways enable OAuth, download the OAuth Toolkit data sheet.

OAuth 2.0 with Layer 7 Gateways, Tutorial 1: Incorporate an Existing API & Identity Provider