How to secure rest api by using Oauth 2.0

This topic contains 6 replies, has 4 voices, and was last updated by  Peter Major 7 months, 1 week ago.

  • Author
    Posts
  • #15755
     datta 
    Participant

    Hi all
    I am new to oauth 2.0. So anyone knows how to secure rest api by using oauth 2.0.

    #15767
     Scott Heger 
    Participant

    Start by getting real familiar with the OAuth 2.0 specification. Read https://tools.ietf.org/html/rfc6749. That will give you a good understanding of the various flows that are available in OAuth and you can decide which fits best for your application. Then you will need some libraries in your code that understands OAuth. Do a search on the web for OAuth libraries for the technology your API is written. That should get you started.

    #15797
     datta 
    Participant

    I went through the documentation and got to know that OpenAM can be OAuth2.0 provider.

    Below is my approach

    1) Enable OAuth 2.0 under realm->common tasks
    2) It Creates the default policy under policies – Don’t know what I can do here.
    3) Register the clients under releam->agents->OAuth2.0/OpenID client.

    I am trying to secure simple REST endpoint in J2EE application (consider my rest endpoint returns just hello world)

    So I think , I need to call the OpenAM Outh2 rest endpoints in J2EE application to authorize & get the access token.

    So when I call OpenAM OAuth endpoints, do I need to use clients (registered in OpenAM) secret code & clientId?

    Please confirm on above approach and guide me.

    Also please suggest any sample application or use case on this.

    #15802
     Peter Major 
    Moderator

    You could use OpenIG to protect your REST endpoints, that would be the “simplest” approach. If you don’t want a reverse proxy, then you need to make sure that your REST endpoints enforce the presence of OAuth2 access tokens, and those tokens are validated before carrying out any operations.

    #15811
     datta 
    Participant

    Thanks Peter
    OpenAm is our existing IDP solution so we would like to continue using openAm as OAuth 2.0 provider, so i think this is possible our rest API handle the token validation and i think this is possible using OAuth 2.0 module any more suggestion on the open OAuth 2.0 will be helpful.

    #15812
     wshen 
    Participant

    @datta

    If your app uses spring framework. It is fairly easy to configure spring security to enable OAuth2 client functionality to handle OAuth2 token validation on REST endpoints.

    #15813
     Peter Major 
    Moderator

    OpenAM can remain your Authorization server, OpenIG would only help implementing the resource server side of things really. The OAuth2 authentication module in OpenAM is really the resource server side. Carrying out an OAuth2 authentication against the same OpenAM server is quite pointless.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.

©2017 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?