Service OAuth security

Service OAuth security is configured when a Sentinet virtual service's inbound side requires support for OAuth protocol. In this case, the virtual service must accept and validate OAuth tokens issued by an external OAuth server, and may process claims received in the OAuth token using Sentinet Access Rules and Claims Authorization Rule Expression. How the virtual service communicates with the physical (backend) business service/API is irrelevant to the OAuth protocol and is considered to be internal security between Sentinet and the business service/API (for example, it can be Basic Authentication, Windows Integrated, mutual X.509 SSL or some other non-OAuth security model).

There are two types of OAuth tokens that Sentinet can be configured to validate:

Service OAuth security with authentication flows
Figure. Service OAuth security with authentication flows for JWT and Reference tokens

JSON Web Tokens (JWT) validation

In this scenario, the User application makes a call to the OAuth server and receives a JWT token with claims issued by the OAuth server for the User application (step 1 on the diagram above).
User application sends JWT token to the Sentinet virtual service (step 2 on the diagram). Sentinet virtual service validates JWT token received from the User application.
Note that Sentinet virtual service does not communicate with the OAuth server directly (there is no step 3 in this use case scenario).

Note

In some configuration cases (described later in the Policy Configurations for OAuth security), the virtual service may be required to periodically (once every 1 hour) contact the OAuth server to learn about (or refresh existing knowledge of) OAuth server’s metadata.

Reference tokens validation

In this scenario, User application makes a call to the OAuth server and receives a Reference token that does not contain any claims about the User application, but rather a reference to the Claims stored about the User application on the OAuth server (step 1 on the diagram above).
User application sends Reference token to the Sentinet virtual service (step 2 on the diagram).
Sentinet virtual service sends Reference token to the OAuth server and receives claims about the User application (step 3 on the diagram).

Note

Sentinet virtual service does not have to contact OAuth server (step 3 on the diagram above) for each request message that comes from the User application. Claims about User application can be cached locally on the Sentinet server for a defined amount of time.