An Expert Guide to Using Digital Platforms
Authentication Provided by an Identity Provider for an API
A modern Digital Platform API typically uses the industry standard OAuth and OpenID Connect to allow clients to Authenticate to the API. This functionality is typically provided by a third party Identity Provider system such as Okta, Auth0, Microsoft Azure Active Directory etc.
With OAuth, when the user tries to access a protected resource (such as the order above), they must provide a “bearer token” which was issued by the Identity Provider to authenticate their identity. If the user does not provide a valid token, then the user will be prompted to logon to the Identity Provider to obtain a token.
Tokens
Tokens are typically provided as JSON Web Tokens and they look something like this:
{
“ver”: 1,
“jti”: “AB.j5d093ynt095y4nt45uth409gn4mh59”,
“iss”: “https://okta.somewhere.com/oauth2/8947dh63487326hx8”,
“aud”: “p349tcu4ogjmpgeo”,
“iat”: 1561553243,
“exp”: 1561556843,
“cid”: “uictnp9cny3t9”,
“uid”: “ciu3tm958mct089”,
“scp”: [
“openid”,
“profile”
],
“sub”: “[email protected]”
}
This JWT identifies information, including the following:
- Issuer: okta.somewhere.com (the Identity Provider that issued this token)
- Expires: the date and time (as a UNIX epoch) when this token expires
- Audience: The application that this token authorises access to
- And more…
Providers
OAuth and OpenID Connect are very widely implemented by an identity provider such as Okta, Auth0, Microsoft Azure Active Directory, Twitter (who invented it), Facebook, Google and many, many more. Next, we look at implementing with the help of Microsoft Azure API Management!
Click below to view the next chapter on implementing using Microsoft Azure management.