OAuth2 with external OAuth2 / OpenID Providers using Membrane
To use the exact terms, Membrane API Gateway can act as an authorization proxy to the resource server.
The following steps are realised:
- The user starts the authorization process by requesting access to the secret resource.
- The client redirects the user to the authorization server to start the login procedure.
1 The user automatically calls the authorization endpoint ( through the redirect of the client ).
3. 2 The user authorizes with his/her credentials and accepts the information on the consent page.
- After successful authorization the user is redirected to the clients callback url which is called with, among other parameters, the access code.
- The client requests an access token in exchange for the access code.
- The authorization server answers with an access token and optionally an id token.
- The client requests userinfos with his access token.
- The authorization server answers with the information about the user.
- The client collects all OAuth2/OpenID-Connect data ( which can then be further prepared for the secret resource e.g. with a groovy interceptor ) and starts retrieving the secret resource.
- + 11. The resource is delivered to the user.