How OAuth API authorization works - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Product name
BlueCat Gateway

OAuth is an authorization protocol that secures API endpoints as part of machine-to-machine communication between API clients. Unlike SAML (Security Assertion Markup Language), which focuses on authentication of web clients, OAuth focuses on what actors have access to, not who the actor is. You must configure both SAML and OAuth to use single sign-on with Gateway.

The OAuth 2.0 specification includes four actors (the Resource Owner, the Client, the Authorization Server, and the Resource Server). In Gateway, these actors are:

  • Resource Owner: The user

  • Client: An application or script that needs access to the Address Manager API

  • Authorization Server: The Identity Provider (IdP)

  • Resource Server: The Address Manager API

The authorization server issues access tokens (used to authenticate a request to an API endpoint) to the client and an authorization grant defines how the client obtains the access token. For more details on authorization grants, see The OAuth 2.0 Authorization Framework on the IETF website.

How OAuth works with BlueCat Gateway

As an API client, BlueCat Gateway obtains an access token with the Authorization Code grant. In this authorization grant, the user is authenticated through a login page (the user-agent) hosted by the authorization server.

The diagram below illustrates the Authorization Code Grant:

  1. The Client (BlueCat Gateway) redirects the user-agent to the Authorization Server (Identity Provider).
  2. The Authorization Server authenticates the user through the user-agent.
  3. If authentication of the user is successful and the user grants access to the requested resource, the Authorization Server returns an authorization code and redirects the user to the client.
  4. The Client (BlueCat Gateway) requests an access token from the Authorization Server by including authorization code.
  5. The Authorization Server authenticates the Client.
  6. The Client (BlueCat Gateway) uses the access token to access the resource on the resource server.