Authorization Workflows
The OpenID Connect support in API Gateway provides two different ways for a client to obtain access to a protected resource.
Authorization Code
Implicit
Authorization Code Flow
This flow returns an authorization code to API Gateway and the client application, which can then directly exchange it for an identity (id_token) token and, optionally, a secondary ID token (which embeds the primary ID token and application ID), and refresh token.
This flow obtains the authorization code from the authorization endpoint and all tokens are returned from the token endpoint.
Authorization Code Grant Flow
The authorization code flow involves the following steps:
1. Client application sends the OpenID token request to API Gateway to obtain an OpenID (ID) token.
The OpenID token endpoint in API Gateway is:
<hostname>:<port>/rest/pub/apigateway/openid/getOpenIDToken
Note: You can optionally specify an application ID to get an OpenID token specific to the application.
For example,
test:5555/rest/pub/apigateway/openid/getOpenIDToken?app_id=990807e0-b03b-4a25-8f26-5d73fdd6f7d0. In this case,
API Gateway generates a secondary ID token that includes the application ID and the primary ID token. As a pre-requisite, you must have the JWT settings configured in
API Gateway. For information about configuring JWT settings in
API Gateway, see
Configuring
API Gateway
to use JWT.
2. API Gateway sends the redirect URL of the configured OpenID Provider to client.
3. The redirect URL opens the login page of the OpenID Provider and retrieves the user information for authentication.
4. The OpenID Provider authenticates the user. It passes the authorization code to the client using a preconfigured redirect URL.
The preconfigured redirect URL is the callback URL an API Provider will configure in the OpenID Provider's console.
The callback URL for OpenID in API Gateway is:
<hostname>:<port>/rest/pub/apigateway/openid/openIDCallback
5. API Gateway validates the authorization code, and, if valid, returns an ID token to the client.
6. Client uses the ID token to access the OpenID protected API in API Gateway.
Implicit Flow
This flow requests an identity (ID) token and, optionally, a secondary ID token (which embeds the primary ID token and application ID) without an explicit client authentication. This flow uses the redirect URL to verify the client identity.
Implicit Grant Flow
The implicit flow involves the following steps:
1. Client application sends the OpenID token request to API Gateway to obtain an OpenID (ID) token.
The OpenID token endpoint in API Gateway is:
<hostname>:<port>/rest/pub/apigateway/openid/getOpenIDToken
Note: You can optionally specify an application ID to get an OpenID token specific to the application.
For example,
test:5555/rest/pub/apigateway/openid/getOpenIDToken?app_id=990807e0-b03b-4a25-8f26-5d73fdd6f7d0. In this case,
API Gateway generates a secondary ID token that includes the application ID and the primary ID token. As a pre-requisite, you must have the JWT settings configured in
API Gateway. For information about configuring JWT settings in
API Gateway, see
Configuring
API Gateway
to use JWT.
2. API Gateway sends the redirect URL of the configured OpenID Provider to client.
3. The redirect URL opens the login page of the OpenID Provider and retrieves the user information for authentication.
4. The OpenID Provider authenticates the user. It passes the ID token to the client to the client using a preconfigured redirect URL.
The preconfigured redirect URL is the callback URL an API Provider will configure in the OpenID Provider's console.
The callback URL for OpenID in API Gateway is:
<hostname>:<port>/rest/pub/apigateway/openid/openIDCallback
5. Client uses the ID token to access the OpenID protected API in API Gateway.