February 10, 2017 at 10:21 am #15755
I am new to oauth 2.0. So anyone knows how to secure rest api by using oauth 2.0.February 10, 2017 at 11:58 pm #15767Scott HegerParticipant
Start by getting real familiar with the OAuth 2.0 specification. Read https://tools.ietf.org/html/rfc6749. That will give you a good understanding of the various flows that are available in OAuth and you can decide which fits best for your application. Then you will need some libraries in your code that understands OAuth. Do a search on the web for OAuth libraries for the technology your API is written. That should get you started.February 14, 2017 at 7:58 pm #15797
I went through the documentation and got to know that OpenAM can be OAuth2.0 provider.
Below is my approach
1) Enable OAuth 2.0 under realm->common tasks
2) It Creates the default policy under policies – Don’t know what I can do here.
3) Register the clients under releam->agents->OAuth2.0/OpenID client.
I am trying to secure simple REST endpoint in J2EE application (consider my rest endpoint returns just hello world)
So I think , I need to call the OpenAM Outh2 rest endpoints in J2EE application to authorize & get the access token.
So when I call OpenAM OAuth endpoints, do I need to use clients (registered in OpenAM) secret code & clientId?
Please confirm on above approach and guide me.
Also please suggest any sample application or use case on this.February 15, 2017 at 8:33 am #15802Peter MajorModerator
You could use OpenIG to protect your REST endpoints, that would be the “simplest” approach. If you don’t want a reverse proxy, then you need to make sure that your REST endpoints enforce the presence of OAuth2 access tokens, and those tokens are validated before carrying out any operations.February 15, 2017 at 8:27 pm #15811
OpenAm is our existing IDP solution so we would like to continue using openAm as OAuth 2.0 provider, so i think this is possible our rest API handle the token validation and i think this is possible using OAuth 2.0 module any more suggestion on the open OAuth 2.0 will be helpful.February 15, 2017 at 9:29 pm #15812wshenParticipant
If your app uses spring framework. It is fairly easy to configure spring security to enable OAuth2 client functionality to handle OAuth2 token validation on REST endpoints.February 15, 2017 at 9:34 pm #15813Peter MajorModerator
OpenAM can remain your Authorization server, OpenIG would only help implementing the resource server side of things really. The OAuth2 authentication module in OpenAM is really the resource server side. Carrying out an OAuth2 authentication against the same OpenAM server is quite pointless.
You must be logged in to reply to this topic.