The OAuth 2.0 policy follows the RFC-6749 standard.
Express Gateway plays the role of both resource server and authorization server. In order to use this policy, consumers must be created and an
oauth2 credential created for them.
The OAuth 2.0 policy will listen on the following endpoints:
- Endpoint to provision authorization codes for the Authorization Code flow, or the access token for the Implicit Grant flow. Only POST is supported.
- Endpoint to provision access tokens to support the Client Credentials and Password Credentials Grant flows. Only POST is supported.
When a client has been authenticated and authorized, Express Gateway will append property and authentication headers to the request before proxying it to the downstream service, so that you can identify the consumer and the end-user in your service:
x-consumer-property and x-token-property, where property are the properties associated with the consumer and its token.
Express Gateway Headers
The following headers will be passed downstream to proxied service endpoints.
||authorized scopes for the token|
||redirect URI associated with the token|
||metadata about when the token expires|
||metadata about when the token was created|
||ID of the consumer to whom the token belongs|
||The id of the authenticated user that the client is acting on behalf of|
||the type of authentication (oauth, basic-auth, key-auth, etc.)|
||ID if the user that is tied to the application (if consumer is an application)|
||metadata about when the consumer was last updated in Express Gateway|
||redirect URI for the credential|
||any user defined property associated with the consumer|
||a boolean indicating whether the consumer is active|
||ID of the consumer|
||metadata about when the consumer was|
||type of consumer - application or user|
OAuth 2.0 Flows
There are 3 distinct entities at play -
- Client app (client or application that is registered on Express Gateway that wants to act on behalf of user)
- Express Gateway’s web UI (can be configured customized by you)
- Express Gateway
- Client is already registered with Express Gateway and has an ID, secret and redirect URI in Expres Gateway.
- Client app redirects user to the Express Gateway’s web UI passing its app_id, response_type and scope
- UI makes a GET to
/oauth2/authorizeand Express Gateway ensures user is logged in.
- If user is not logged in, he/she logs in on the Express Gateway’s UI. For this login, Express GAteway acts as an authorization server for the user.
Note: The user will need
basic-auth credentials to be able to login.
- Express Gateway’s Web app prompts user to allow client access to specific scopes, to which the user grants access.
- Express Gateway’s UI again makes a call to
/oauth2/authorizewith the following data to request an auth code:
- Authorization: basic clientId:secret
- Express Gateway responds back with whether or not the client is authorized. If authorized, it returns an authorization code and redirect_uri.
- UI redirects the client app to the redirect_uri
- Client App will exchange the auth_code for an access token by making a POST to /oauth2/token
Implicit grant is the same as authorization code grant, except we return a token and redirect_uri in step 7, and it doesn’t have steps 8 and 9.
Client credentials grant will follow the standard RFC documentation.
In order to use the OAuth2 Authorization policy, consumers must be created and
oauth2 credentials created for them.
policies: - oauth2
pipelines: pipeline1: apiEndpoints: - authorizedEndpoint policies: - oauth2: - proxy: action: serviceEndpoint: backend
Customizing the UI
The basic implementation of the UI for the OAuth2 policy is found in
/lib/policies/oauth2/views. In this directory, you can customize the code to suit your needs.