Configure openAuth Support
3scale supports credential generation and sharing for openAuth Authentication Patterns. This HowTo covers how to configure openAuth mode and explain how 3scale support works.
GoalAt the end of the section you will have setup openAuth support for your API.
openAuth (oAuth) is a set of standard authentication and authority delegation patterns which allow an application to access resources on a remote server. Information on oAuth can be found at the oAuth Community Site
3scale enables APIs using oAuth authentication and supports the outer layer of credential management necessary for both openAuth 1 and 2. This encompasses all elements of client identifier and secret sharing required for a developer to create an application which uses an oAuth API.
At this time however, 3scale does not provide a solution for the inner layer of oAuth management which is the mapping between users who have authorized a particular application to access their data.
3scale’s oAuth support is summarized in the following image:
- The App developer (consumer of the API) gets its client_id and client_secret via the API portal (in case of oAuth v1 this would be consumer_key, etc.). These keys are provisioned by 3scale after the account is validated, or by the provider through their portal, or via the Account API (e.g. Legacy systems or buyer portals not based on 3scale).
- The App developer makes requests to the API as per standard oAuth pattern. Call to the API both to obtain access token and with access tokens should include the Client ID token. If oAuth v1 variants are being used, the body of the request is also signed using client_secret.
- The API provider calls 3scale’s backend system with the client_id from the request in addition to all the metrics/methods that need to be validated according to the rules and limits defined on the plan the App developer is in. 3scale returns whether or not the API request is valid plus the current utilization of the limits, access control, etc. 3scale also returns the client_secret so that the API provider can run the final validation for tampering. This call can be made every time an API call comes in or the setup can be asynchronous such that the auth results and key are cached for periods of time within the 3scale plugin agent.
- The API must check that the md5/mac-sha1 of the request (body, nonce, etc.) with the client_secret returned from 3scale matches the signature sent by the requester so that it can be sure of the origin and that there was no request tampering.
Step by Step
Step 1: Navigate to the Authentication Control area for the service you wish to configure.
Click on the “API” tab in your control panel and then select edit on the API you wish to set openAuth up form.
Step 2: Change the Authentication patterns to oAuth
WARNING – making this change will affect all live applications on the service, it is recommended that the pattern is not changed once people have begun using the API.