Implementing OAuth using DataPower

By -

OAuth is becoming an increasingly important standard for authorizing limited access to applications and data. Unlike other standards, OAuth places the management of web delegation into the hands of the actual resource owners, meaning that it is the user who connects accounts between different web applications, without direct involvement needed by the security administrators on each respective site.

OAuth (Open Authorization) is an open standard for token-based authentication and approval on the Internet. The OAuth authorization framework allows a third-party application to get limited access to an HTTP service.

What Does OAuth Do?
OAuth is mainly a protocol that supports authorization workflows. This gives you a way to make sure that a particular user has permissions to do something.

For Consumer developers: – OAuth is a simple way to publish and interact with protected data. It is also a safer and more secure way for people to give you access.

For Service Provider developers: – If you are storing protected data on your users’ behalf, they should not be spreading their passwords around the web to get access to it. Use OAuth to give your users access to their data while protecting their account credentials.

How OAuth Works?
There are four separate modes of OAuth, which are called grant types. Each mode serves a different purpose and is used differently. Subject to what type of service you are building, you might need to use one or more of these grant types to make things work.

a) The Authorization Code Grant Type
The authorization code OAuth grant type is meant to be used on web servers. You might want to use the authorization code grant type if you are building a web application with server-side code that is NOT public. If you want to implement an OAuth flow in a server-side web framework like Express.js, Django, Flask, Ruby on Rails, an Authorization Code suits best.

b) The Implicit Grant Type
The implicit grant type is intended to be used for the client-side web which does not have a server-side component or any sort of mobile application that can use a mobile web browser.

c) The Password Credentials Grant Type
The password credentials grant type is intended to be used for first class web applications or mobile applications. This is suitable for official web and mobile apps for your project because you can simplify the authorization workflow by asking only for username and password, as opposed to redirecting them to your site, etc.

d) The Client Credentials Grant Type
The client credentials grant type is meant to be used for application code.
You might want to use the client credentials grant type if you are building an application that needs to perform non-user related tasks. For instance, you might want to update your application’s metadata — read in application metrics (how many users have logged into your service?) — etc.

When to Use OAuth?
You should only use OAuth if you essentially need it. If you are building a service where you need to use a user’s private data that is stored on another system use OAuth. If not you might want to reconsider your approach.

There are other forms of authentication for both websites and API services that does not require as much complexity, and can offer similar levels of protection in most cases.

DataPower’s support for OAuth
DataPower can act as an OAuth authorization service responding to authorization endpoint and token endpoint requests. It can act as an Enforcement Point (EP) for a resource server receiving OAuth 2.0 requests. It can integrate with IBM’s Tivoli Federated Identity Manager V6.2.2 or greater in this EP role. Interactions with Federated Identity Manager use the WS-Trust protocol for token verification. It supports bearer tokens with confidentiality and integrity support provided by the underlying secured transport (HTTPS).

DataPower can turn as an OAuth authorization service responding to authorization endpoint and token endpoint requests. Learn more about OAuth capabilities, visit for more information.

DataPower appliances support the IETF Open Authorization (OAuth) 2.0 protocol. Using the OAuth protocol decreases the need to share your credentials with third parties. When implemented, the third party can access your resources on your behalf.

DataPower Appliance Roles
The appliance serves one of the following roles:

  • The role of authorization server endpoints: authorization endpoint and token endpoint
  • The role of the enforcement point for a resource server
  • The roles of authorization server endpoints and the enforcement point

The role of the appliance is based on the configuration of OAuth client profiles

The OAuth client profiles in an OAuth client group are the OAuth clients that the DataPower appliance accepts requests from. The client group is part of the AAA policy configuration. To learn more about OAuth capabilities, visit