Table of Contents
Using our Web APIs or default implementation, you can easily get the functionality of OAuth 2.0 and OpenID Connect.
OAuth 2.0 is a framework where a user of a service can allow a third-party application to access his/her data hosted in the service without revealing his/her credentials (ID & password) to the application.
The main specification is defined in RFC 6749.
OpenID Connect is a framework on top of OAuth 2.0 where a third-party application can obtain a user's identity information which is managed by an OpenID provider.
The main specification is defined in OpenID Connect Core 1.0.
A company has to implement OAuth 2.0 (and OpenID Connect) as prerequisites to provide Web APIs of its service. However, it requires enormous time and effort to implement the specifications. Also, managing data related to the specifications is an annoyance. This hurdle could prove fatal to service providers who compete on time to market and/or cannot afford to implement the prerequisites only with their developer resources.
It is Authlete that solves the problem. Authlete does support an overwhelming number of related specifications and host related data. Authlete users can start to implement Web APIs of their services without being bothered with the prerequisites.
Basically, Authlete works behind your Web service if you don’t let your end-users and developers use Authlete directly. The figure below illustrates the relationship among parties involved in OAuth 2.0.
There are four major components you need to be aware of when you implement Web APIs. The following illustrate the components and roles of you and Authlete in them.
Authentication deals with information about "who one is". OpenID Connect is a specification for authentication.
You manage end-user accounts and authenticate them. You pass subjects (= unique identifiers) of end-users to Authlete as needed.
Authlete receives subjects of end-users from your system and associates the subjects with access tokens and other data. Note that Authlete does not manage end-user accounts and does not care about how end-users are authenticated. You can authenticate end-users by ID & password, fingerprint, iris recognition or in whatever way you like.
Authorization deals with information about "who grants what permissions to whom". OAuth 2.0 is the industry standard for authorization.
You register meta data of your authorization server and OpenID provider into Authlete. You can use Service Owner Console for that purpose.
Authlete exists for authorization! Authlete manages data related to authorization on behalf of you such as access tokens, refresh tokens, authorization codes, meta data of authorization servers and OpenID providers, meta data of client applications, and so on. You don't have to set up and maintain your database for these data.
Resource management deals with resources (= data). A Web service provides Web APIs to allow client applications to access resources.
You host resources on your servers and implement Web APIs to access the resources. Such Web APIs are called protected resource endpoints.
Authlete issues and manages access tokens. Also, Authlete provides a Web API to get information about an access token that a client application presents when it accesses your Web APIs. We call it "introspection API" and you will use it in implementations of your Web APIs.
Client management deals with client applications. Developers register meta data of their client applications to a Web service.
You manage developer accounts of client applications and authenticate them. You pass subjects of developers to Authlete as needed.
Authlete issues client IDs and manages meta data of client applications. You can let developers use Developer Console provided Authlete directly or build your own Web console for developers using Authlete Web APIs.
Authlete supports OpenID Connect, but end-user authentication itself must be performed by your system. What Authlete does for OpenID Connect is to parse and validate parameters of OpenID Connect authentication requests and to construct ID tokens.
Authlete’s carefully-designed architecture has made the authorization part clearly separated from the end-user authentication part. The architecture enables you to add functionalities of OAuth 2.0 and OpenID Connect smoothly into even existing systems whose end-user authentication mechanisms are special.
You can support OAuth 2.0 and OpenID Connect in your Web service if you use Authlete. Sign up and start with Getting Started document.