OAuth 2.0 access management

OAuth 2.0 token based security for your APIs

The Connect2id server can also act as a fully fledged OAuth 2.0 server for issuing access tokens for your web APIs and other protected resources.

All standard OAuth 2.0 grants, or flows, for obtaining access tokens are supported:

Authorisation code

For traditional web apps as well as mobile / native clients

Implicit

For browser-based applications coded in JavaScript

Resource owner password

For highly trusted clients or if other grant types are unavailable

Client credentials

For clients that act on their own behalf

JWT assertion

For bridging two security domains

SAML 2.0 assertion

For SAML SSO clients that need to obtain OAuth tokens

Bring your own policies

Security architects enjoy plenty of freedom with the Connect2id server:

  • Apply arbitrary rules and security policies to each OAuth 2.0 grant. These may be implemented in any programming language, and are applied to the Connect2id server via its powerful APIs (web or native).
  • Short (transient) as well as long-lived (persisted) authorisations are supported. The latter enable end-user consent to be remembered across requests.
  • The issued access tokens can be self-contained (encoded as a signed or signed + encrypted JWT) or identifier based (the authorisation is stored in a database and queried remotely by secure key).
  • The token scope can be assigned implicitly.
  • The lifetime of the issued access and refresh tokens can be controlled for each individual application and end-user.
  • Tokens may carry additional data.

Advanced use cases

Version 4 of the Connect2id server added support for more advanced use cases:

  • Impersonation — enables a privileged user to log into a client application under a different identity. May also extend to accessing protected protected resources (web APIs) as the impersonated identity and using their permissions.

  • Delegation — enables one user to act on behalf of another.

Token management

The Connect2id server provides web-based endpoints to manage the entire life cycle of a token:

  • Token issue
  • Token inspection
  • Update of the associated scope and other details (for long-lived authorisations / refresh tokens)
  • Token revocation
  • Query long-lived authorisations per client or end-user

Support for distributed apps

Applications that are distributed within and across data centres are easily catered for by the Connect2id server. This is accomplished with self-contained access tokens (JWT) which take only a fraction of a millisecond to verify and clear the request.

Applications with limited / unreliable connectivity can also benefit from this approach.