OAuth is an authorization protocol that secures API endpoints as part of machine-to-machine communication between API clients. Unlike SAML (Security Assertion Markup Language), which focuses on authentication of web clients, OAuth focuses on what actors have access to, not who the actor is. You must configure both SAML and OAuth to use single sign-on with Gateway
The OAuth 2.0 specification includes four actors: the Resource Owner (the user), the Client (an application or script that needs access to the Address Manager API), the Authorization Server (or Identity Provider), and the Resource Server (Address Manager API). The authorization server issues access tokens (used to authenticate a request to an API endpoint) to the client and an authorization grant defines how the client obtains the access token. For more information on authorization grants, see https://tools.ietf.org/html/rfc6749.
How OAuth works with BlueCat Gateway
As an API client, BlueCat Gateway obtains an access token with the Authorization Code grant. In this authorization grant, the user is authenticated through a login page (the user-agent) hosted by the authorization server.
The diagram below illustrates the Authorization Code Grant:
- Client (BlueCat Gateway) redirects user-agent to authorization server
- Authorization server authenticates the user through the user-agent
- If authentication of the user is successful and the user grants access to the requested resource, the authorization server returns an authorization code and redirects the user to the client
- Client (BlueCat Gateway) requests an access token from authorization server by including authorization code
- Authorization server authenticates client
- Client (BlueCat Gateway) uses access token to access the resource on the resource server