OAuth2 Password Grant for API Security
In the password flow a client authorizes the user with the authorization server. With the returned access token the owner can access the secured resource.
This flow is suitable in situations when there is a trust relationship between user and client.
Securing an API using OAuth2 and Membrane
You can secure your APIs with OAuth2 using Membrane API Gateway. This page describes how to use Membrane for Single Sign On ( SSO ) using RFC 6749. One Membrane installation can act as combined authentication and authorisation server. A second Membrane installation can act as a token validation server protecting the API server. Membrane contains everything you need for OAuth2. There is no need to modify the API server in order to protect it.
The figure shows an example setup to protect an API using OAuth2 and Membrane:
The following steps are realised:
- The user forwards his credentials ( username and password ) to the client/app.
- The client submits its client id and client secret together with the users credentials as a token request to the authorization server.
- The authorization server validates the request and responds with an access token.
- The client calls the API by appending the access token to the request.
- The token validator sends the access token to the authorization server.
- The authorization server validates the access token and responds with the validation result.
- + 8. + 9. Access is granted and the API is called.
One Membrane installation can be used as a combined authorization server and token validator. But you can also combine an authorization server from a different vendor with a Membrane token validator or vice versa.
- See the example in $MEMBRANE_HOME/examples/oauth2/api
- OAuth2 API Security example