New Architecture of OAuth 2.0 and OpenID Connect Implementation

~Semi-Hosted Service Pattern~

1. Semi-Hosted Service Pattern

2. User Authentication

2.1. How to Push Out User Authentication?

Authorization Code Flow + AUTHLETE

2.2. Other OAuth flows + Authlete

Implicit Flow + AUTHLETE
Resource Owner Password Credentials Flow + AUTHLETE
Client Credentials Flow + AUTHLETE
Refresh Token Flow + AUTHLETE

3. API Management

3.1. AWS API Gateway

Custom Authorizer; mechanism to delegate validation of bearer tokens
Custom Authorizer using Authlete

3.2. IBM API Connect

curl -k -v \
-H "X-IBM-Client-Id: Client_ID" \
-H "Authorization: Bearer Access_Token" \
-X GET 'Operation_URL'

4. Login Session Management

5. Identity Management

5.1. Shared User Database

An authorization server combined tightly with identity management
Multiple services share one authorization server
Each service has an authorization server but shares one user pool with other services

5.2. Multiple Authorization Servers

6. Extensibility

6.1. Access Token Creation

$ curl ¥
--user 4593494640:BBw0rner_-y1A6J9s20wjRCpkBvez3GxEBoL9jOJVR0 \ \
-d clientId=98282920604 \
-d subject=user123 \
-d scopes=photo

6.2. Extra Data of Access Token

$ curl \
--user 4593494640:BBw0rner_-y1A6J9s20wjRCpkBvez3GxEBoL9jOJVR0 \ \
-H 'Content-Type:application/json' \
-d "{\"ticket\":\"xKdGvPyPkLJRkmP6MSAJ1wISBmdnSbPG8pFzgTdZh4U\",

6.3. Operations on a User-Client Basis

6.4. Record of Granted Permissions


Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997.