OAuth is the standard protocol for API security and app integrations.
The Curity Token Service is the most flexible OAuth 2.0 server in the world. Implementing the full standard and giving all the power of token issuance to the administrator.
Brings single sign-on (SSO) to mobile and web.
OpenID Connect is the identity layer ontop of OAuth 2.0. It provides Single Sign-On and identity data for applications built for mobile and web. With the Curity Token Service the OpenID Connect standard is brought to the developer with full power.
Integrate OAuth with a few lines.
Single page applications (and others) can utilize the powerful Assisted Token API in Curity. Assisted Token lets the application get tokens without leaving the web page with only 5 lines of code.
Powerful integrations with internal and external tokens.
Microservices is about time to market. Building and deploying new services should be fast and easy. Curity's Phantom Tokens makes it easy to create a single security pattern for all microservices. Design once, use forever.
Revoking tokens is just as important as issuing tokens. The Token Service provides standardized APIs for revoking tokens for clients and users.
OAuth scopes represent rights or permissions granted to an app. Sometimes rights should be revoked after a certain period of time while others remain. Implementing such a use case is easy with Curity because each scope can have its own specific expiration time. As tokens are used, the associated permissions and power of tokens are reduced as expired scopes are removed.
Phantom Tokens are the collective name of internal tokens inside your network. It's good practice to send opaque tokens on the Internet and trade them for JSON Web Tokens internally. We call these internal tokens Phantom Tokens.Read more
Tokens are not just identifiers! Good tokens contain just the right information that the API needs. Curity lets you create tokens with data collected from any type of data source, many at the same time, even specifically for a certain user.
The first step when accessing OAuth protected data is to have the user authenticate, to let the client receive an access token.
The client application sends a request to Curity to retreive a token
Curity requires the user to authenticate. Depending on how the Authentication service is configured, the user is presented with the appropriate authentication methods.
A token is issued to the client application. This is a regular OAuth Access Token.
The client calls the API using the issued token. It passes the Access Token in the header.
The token is deemed valid and data is returned.
When sending tokens over the Internet it's often desirable to hide the information inside it. Mainly since the information is intended for the APIs and not for the client. Internally it’s however very handy to use by value tokens such as JSON Web Tokens (JWT) since they scale nicely and are easy to use. To achieve this, a Reverse Proxy (RP) is placed between the APIs and the caller, where the RP translates the external token to an internal Phantom Token (JWT). This internal token contains the same data, but is issued in a different format.
The client application sends a request to the API passing the external token.
The RP validates the token the first time it sees it, by sending it to Curity
Curity responds with a Phantom Token that the RP stores in its cache.
The RP passes the Phantom Token to the API, that can read the contents without having to call Curity.