Inventore officia amet, earum aliquid velit hic! Dicta minima repellat minus sapiente laborum, nesciunt ad voluptate perferendis. Donec rutrum congue leo eget malu suada. Praesent sapien massa, creallis sollicitudin malesuada euse consecturuer.
OAuth: The Big Picture. What's Inside? Opening Keynote: Lorem ipsum dolor sit. Pushing the limits of BigQuery with Kabam. Fast analytics at scale with Google BigQuery.
Closing keynote: Lorem ipsum dolor sit. Agenda Track 1 Track 2. Track 1 Track 2 Track 3. Our partners Platinum. Three-promo module. Two-promo module. Point One Donec at lacus nec ligula euismod varius. In lobortis dolor volutpat nisl pharetra imperdiet nec sed est.
Vivamus tempor ipsum dui, a pulvinar erat congue vel. Point Two Donec at lacus nec ligula euismod varius. Point Three Donec at lacus nec ligula euismod varius. You're viewing Apigee Edge documentation. View Apigee X documentation. There are many books, blogs, and sites devoted to OAuth 2. Here's the definition of OAuth 2. The main thing you need to know is that OAuth 2.
Here is the general flow for the OAuth 2. We'll discuss this flow in more detail in this topic, starting with a diagram, which illustrates a lot about how OAuth 2. If you're unfamiliar with the terms used in this diagram, read this section for a quick introduction. Edge includes an authorization server implementation, and as such, can generate and validate access tokens. Developers begin by registering their apps with Apigee Edge.
Registered apps can request access tokens through any of the four grant type interactions. Apigee provides a multi-faceted OAuthV2 policy that implements the details of each grant type, making it relatively easy to set up OAuth on Apigee Edge. For example, you can configure a policy that receives a request for an access token, evaluates all required credentials, and returns an access token if the credentials are valid. Note that any resource servers that your secure API proxy calls should be behind a firewall that is, the resources must not be accessible through any means besides the API proxy or another API that is well secured.
Think of grant types as different paths or interactions an app can take to gain an access token. Each grant type addresses one or more use cases, and you'll need to select which grant type s to use based on your own needs. In general, each grant type has advantages and disadvantages, and you'll need to weigh the tradeoffs based on your business use cases. One important consideration is the "trustworthiness" of the apps that will be accessing your data. Generally, third-party apps are less trustworthy than apps that are developed and used within an enterprise.
If you successfully log in, the app will receive an authorization code that it can use to negotiate an access token with the authorization server. Typically, this grant type is used when the app resides on a server rather than on the client. This grant type is considered highly secure because the client app never handles or sees the user's username or password for the resource server that is, for example, the app never sees or handles your Twitter credentials.
This grant type flow is also called "three-legged" OAuth. An access token is a long string of characters that serves as a credential used to access protected resources. Resources tokens also called bearer tokens are passed in Authorization headers, like this:. The resource server understands that the access token "stands in" for credentials like username and password.
In addition, the access tokens can be issued with restrictions, so that, for example, the app can read but not write or delete data on the resource server. Note that an access token can be revoked if, for instance, the app is compromised. In this case, you will need to get a new access token to continue using the app; however, you will not have to change your username or password on the protected resources server for example, Facebook or Twitter.
Access tokens generally have an expiration for security reasons. Some grant types allow the authorization server to issue an refresh token, which allows the app to fetch a new access token when the old one expires. Through the mechanism of scopes, OAuth 2.
For example, an app may have access only to specific resources, may be able to update resources, or may only be granted read-only access. Under so-called "three-legged" OAuth flows, the user typically specifies the level of access through a consent page for example, a web page where the user selects the scope with a checkbox of other mechanism. All clients apps must register with the OAuth 2.
When you register an app, you receive back a set of keys. One is a public key called the client identifier, and the other is a secret key called the client secret. Without these keys, an app cannot issue requests for authorization codes or access tokens to the authorization server. They are equivalent. Which OAuth 2. Your choice of grant types depends on the trustworthiness of the client app and requires very careful consideration, as described in the following table:.
Highly trusted apps, written by internal developer or developers with a trusted business relationship with the API provider. A good example is logging in to your company HR site to make insurance selections, submit reviews, or change personal information. API key validation requires an app to send a key to Edge. The key must be a valid consumer key from an Apigee Edge developer app that is associated with the API proxy.
If for some reason you need to revoke permission for a client app to make calls to a proxy, you must revoke that consumer key. Any client apps using that key will also be unable to access the API proxy.
On the other hand, an OAuth token can be revoked at any time without revoking the app's keys. The app can simply request a new token on behalf of the user, and if a token is granted, the app can continue using the API proxy. Another difference between an API key and a token is that a token can include metadata attributes that you can retrieve and use later. For example, you might store the ID of the user making the API call and use it to customize calls to the backend target service.
See Learn about OAuth 2. Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4. For details, see the Google Developers Site Policies.
Apigee Edge Private Cloud Latest v4. Apigee Edge. Developer resources. API proxy cookbook. Build proxies. Define the URL that clients see. About virtual hosts. Flows and flow variables. Flow variables. Handle faults. Reusable shared flows. Add features to a proxy. What's a policy? Secure a proxy. API keys.
0コメント