New Architecture of OAuth 2.0 and OpenID Connect Implementation

~Semi-Hosted Service Pattern~

1. Semi-Hosted Service Pattern

Image for post
Image for post

2. User Authentication

Image for post
Image for post

2.1. How to Push Out User Authentication?

Image for post
Image for post
Image for post
Image for post
Authorization Code Flow + AUTHLETE

2.2. Other OAuth flows + Authlete

Image for post
Image for post
Implicit Flow + AUTHLETE
Image for post
Image for post
Resource Owner Password Credentials Flow + AUTHLETE
Image for post
Image for post
Client Credentials Flow + AUTHLETE
Image for post
Image for post
Refresh Token Flow + AUTHLETE

3. API Management

3.1. AWS API Gateway

Image for post
Image for post
Custom Authorizer; mechanism to delegate validation of bearer tokens
Image for post
Image for post
Custom Authorizer using Authlete

3.2. IBM API Connect

curl -k -v \
-H "X-IBM-Client-Id: Client_ID" \
-H "Authorization: Bearer Access_Token" \
-X GET 'Operation_URL'

4. Login Session Management

5. Identity Management

5.1. Shared User Database

Image for post
Image for post
An authorization server combined tightly with identity management
Image for post
Image for post
Multiple services share one authorization server
Image for post
Image for post
Each service has an authorization server but shares one user pool with other services

5.2. Multiple Authorization Servers

Image for post
Image for post

6. Extensibility

6.1. Access Token Creation

$ curl ¥
--user 4593494640:BBw0rner_-y1A6J9s20wjRCpkBvez3GxEBoL9jOJVR0 \
https://api.authlete.com/api/auth/token/create \
-d grantType=AUTHORIZATION_CODE \
-d clientId=98282920604 \
-d subject=user123 \
-d scopes=photo

6.2. Extra Data of Access Token

{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
$ curl \
--user 4593494640:BBw0rner_-y1A6J9s20wjRCpkBvez3GxEBoL9jOJVR0 \
https://api.authlete.com/api/auth/authorization/issue \
-H 'Content-Type:application/json' \
-d "{\"ticket\":\"xKdGvPyPkLJRkmP6MSAJ1wISBmdnSbPG8pFzgTdZh4U\",
\"subject\":\"user123\",
\"properties\":[
{\"key\":\"example_parameter\",
\"value\":\"example_value\"},
{\"key\":\"hidden_parameter\",
\"value\":\"hidden_value\",
\"hidden\":true}]}"

6.3. Operations on a User-Client Basis

6.4. Record of Granted Permissions

Summary

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store