Overview of OAuth 2.0 - Intergraph Smart API Manager - 2020 (4.0) - Help

Intergraph Smart API Manager Help
Language
English
Product
Intergraph Smart API Manager
Search by Category
Help
Smart API Manager Version
4.0

What is OAuth 2.0, exactly?

The OAuth 2.0 specification defines itself as a framework that "enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf."

In simplest terms, OAuth 2.0 provides security related to using APIs.

OAuth defines four roles involved in the flow of requesting, obtaining, and using an access token. Understanding the roles is key to understanding OAuth security.

  1. Resource Owner - An entity, usually a person called a user, capable of granting access to a protected resource.

    In this case, the resource owner is a person using your Smart Client.

    The resource owner is the starting point for authorization and must:

    • Be able to authenticate their identity with the Authorization Server based on credentials, such as a username and password. See the Authorization Server role below for more information.

    • Belong to a group in Smart API Manager authorized to access the Smart APIs that are called by the Smart Client.

      Smart API Manager controls access to Smart APIs at the group level. See Smart APIs and Groups for details on how to configure users and identities to access Smart API resources.

  2. Resource Server - The server hosting the protected resources, capable of accepting and responding to requests using access tokens.

    In this case, the resource server is a Smart API that your Smart Client calls.

  3. Client - An application requiring access to protected resources on behalf of the resource owner.

    In this case, the client is the Smart Client you are developing.

  4. Authorization Server - A server that issues access tokens to the client after successfully authenticating the resource owner.

    In this case, the authorization server is the Security Token Service (STS) included with Smart API Manager.

    An STS is an application or service that authenticates its callers and validates user identity against its own internal identity store or by delegating to another STS.

    Smart API Manager includes an STS based on IdentityServer3. It is discussed in more detail in IdentityServer3.