Service OAuth security
Service OAuth security is configured when a Sentinet virtual service's inbound side requires support for OAuth protocol. In this case, the virtual service must accept and validate OAuth tokens issued by an external OAuth server, and may process claims received in the OAuth token using Sentinet Access Rules and Claims Authorization Rule Expression. How the virtual service communicates with the physical (backend) business service/API is irrelevant to the OAuth protocol and is considered to be internal security between Sentinet and the business service/API (for example, it can be Basic Authentication, Windows Integrated, mutual X.509 SSL or some other non-OAuth security model).
There are two types of OAuth tokens that Sentinet can be configured to validate:
JSON Web Token (JWT)
JSON Web Tokens (JWT) validation
In this scenario, the User application makes a call to the OAuth server
and receives a JWT token with claims issued by the OAuth server for the
User application (step 1 on the diagram above).
User application sends JWT token to the Sentinet virtual service (step 2 on the diagram). Sentinet virtual service validates JWT token received from the User application.
Note that Sentinet virtual service does not communicate with the OAuth server directly (there is no step 3 in this use case scenario).
In some configuration cases (described later in the Policy Configurations for OAuth security), the virtual service may be required to periodically contact (once every 1 hour) the OAuth server to learn about (or refresh existing knowledge of) OAuth server’s metadata.
Reference tokens validation
In this scenario, User application makes a call to the OAuth server and
receives a Reference token that does not contain any claims about the
User application, but rather a reference to the Claims stored about the
User application on the OAuth server (step 1 on the diagram above).
User application sends Reference token to the Sentinet virtual service (step 2 on the diagram).
Sentinet virtual service sends Reference token to the OAuth server and receives claims about the User application (step 3 on the diagram).
Sentinet virtual service does not have to contact OAuth server (step 3 on the diagram above) for each request message that comes from the User application. Claims about User application can be cached locally on the Sentinet server for a defined amount of time.