OAuth2 with external OAuth2 / OpenID Providers using Membrane

Membrane API Gateway can be used to authorize HTTP requests based on the RFC 6749 OAuth 2.0 Authorization Framework, OpenID Connect Core and OpenID Connect Discovery .

To use the exact terms, Membrane API Gateway can act as an authorization proxy to the resource server.

Figure1: OAuth2 flow with an external provider

The following steps are realised:

1. The user starts the authorization process by requesting access to the secret resource.
2. The client redirects the user to the authorization server to start the login procedure.
3. 1 The user automatically calls the authorization endpoint ( through the redirect of the client ).
   3. 2 The user authorizes with his/her credentials and accepts the information on the consent page.
4. After successful authorization the user is redirected to the clients callback url which is called with, among other parameters, the access code.
5. The client requests an access token in exchange for the access code.
6. The authorization server answers with an access token and optionally an id token.
7. The client requests userinfos with his access token.
8. The authorization server answers with the information about the user.
9. The client collects all OAuth2/OpenID-Connect data ( which can then be further prepared for the secret resource e.g. with a groovy interceptor ) and starts retrieving the secret resource.
10. + 11. The resource is delivered to the user.

Getting Started

• OAuth2 with any OAuth2 / OpenID Connect compatible authorization server using Membrane
• OAuth2 with Google using Membrane
• OAuth2 with Github using Membrane