Using API Gateway OAuth 2.0 Server
API Gateway can be used as an authorization server and as a resource server.
An authorization server issues tokens to client applications on behalf of a resource owner for use in authenticating subsequent API calls to the resource server. The resource server hosts the protected resources, and can accept or respond to protected resource requests using access tokens.
API Gateway as Authorization Server: When
API Gateway acts as an authorization server, it receives authorization requests from client applications. The authorization server handles the interactions between the client application, resource server, and resource owner for approval of the request.
As an authorization server, API Gateway issues opaque access tokens as bearer tokens to client applications on behalf of a resource owner for use in authenticating subsequent API requests to the resource server. A bearer token is an access token that allows any party in possession of the access token (Bearer) to use the token. The authorization server retains the information about the bearer tokens it issues, including the user information. When a client presents a bearer token to the resource server, the resource server sends the token to the authorization server to ensure that the token is valid and that the requested service is within the scope for which the access token was issued. A scope is the definition of the resources that the client application can access on behalf of a resource owner.
If the client application is authorized to access the protected resources, the resource server executes the request. If the client application does not have privileges to access the resources, the resource server rejects the request.
API Gateway as Resource Server: When
API Gateway acts as a resource server, it hosts the protected resources, and accepts and responds to the client applications' requests that include an access token. The client application sends the access token in the Authorization request header field using the Bearer authentication scheme. The resource server asks the authorization server to validate the access token.
If the token is valid and the client application has privileges to access the protected resources, the resource server executes the request. If the access token is invalid, it rejects the request.
Note: The resource server and the authorization server might be in the same API Gateway instance or might be in different API Gateway instances.