OAuth2 with external OAuth2 / OpenID Providers using Membrane
Membrane Service Proxy can be used to authorize HTTP requests based on the RFC 6749 OAuth 2.0 Authorization Framework, OpenID Connect Core and OpenID Connect Discovery .
To use the exact terms, Membrane Service Proxy can act as an authorization proxy to the resource server.
Figure1:
The following steps are realised:
- The user starts the authorization process by requesting access to the secret resource.
- The client redirects the user to the authorization server to start the login procedure.
-
1 The user automatically calls the authorization endpoint ( through the redirect of the client ).
3. 2 The user authorizes with his/her credentials and accepts the information on the consent page. - After successful authorization the user is redirected to the clients callback url which is called with, among other parameters, the access code.
- The client requests an access token in exchange for the access code.
- The authorization server answers with an access token and optionally an id token.
- The client requests userinfos with his access token.
- The authorization server answers with the information about the user.
- The client collects all OAuth2/OpenID-Connect data ( which can then be further prepared for the secret resource e.g. with a groovy interceptor ) and starts retrieving the secret resource.
- + 11. The resource is delivered to the user.