×

The worlds most powerful OAuth and OpenID Connect Server

How it works - Getting a token

The first step when accessing OAuth protected data is to have the user authenticate, to let the client receive an access token.

1

The client application sends a request to Curity to retreive a token

2

Curity requires the user to authenticate. Depending on how the Authentication service is configured, the user is presented with the appropriate authentication methods.

3

A token is issued to the client application. This is a regular OAuth Access Token.

4

The client calls the API using the issued token. It passes the Access Token in the header.

5

The token is deemed valid and data is returned.

The Phantom Token

When sending tokens over the Internet it's often desirable to hide the information inside it. Mainly since the information is intended for the APIs and not for the client. Internally it’s however very handy to use by value tokens such as JSON Web Tokens (JWT) since they scale nicely and are easy to use. To achieve this, a Reverse Proxy (RP) is placed between the APIs and the caller, where the RP translates the external token to an internal Phantom Token (JWT). This internal token contains the same data, but is issued in a different format.

1

The client application sends a request to the API passing the external token.

2

The RP validates the token the first time it sees it, by sending it to Curity

3

Curity responds with a Phantom Token that the RP stores in its cache.

4

The RP passes the Phantom Token to the API, that can read the contents without having to call Curity.