OAuth 2.0
Introduction
OAuth 2.0 is an open standard for access delegation, commonly used as a way to grant applications access to exposed APIs on other API Gateway but without providing the passwords. Depending on the use case to be implemented different processes (OAuth authorization flows) can be designed and put in place.
Purpose
The purpose of OAuth is to provide:
Security: a secure delegated access to server resources on behalf of an API resource owner.
HTTP based: OAuth allows access tokens to be issued to third-party clients by the authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
Scope based access: OAuth allows to implement the different authorization flows with different levels of fine-grained rights, so the resource owner can specify the level of access granted to a third party application.
Scope
Principal purpose for OAuth 2.0 server implementation is to expose an Authentication Server that allows the authorization of third party applications to consume a certain API.
The second purpose is the API Gateway implementation to properly apply security policies to the incoming requests, so the routed requests to the backends are authenticated, authorised and valid. In this sense the scope for the OAuth 2.0 integration is to check the incoming requests, for the OAuth 2.0 configured APIs, and validate that the authorisation token is present and valid, this eliminates the need for the backends for checking the token validity. To validate the presented token the API Gateway will need to submit a request to the OAuth 2.0 servers, responsible to emit those tokens, and inspect the response to allow/block the incoming request.
A third use case is the generation of certain security mechanisms accepted by the backends, and the transformation of the incoming request to accommodate to the backend needs.