OAuth 2.0
Explore OAuth 2.0. What is it and how can you best implement it?
OAuth 2.0 is the industry-standard protocol for authorization and access delegation. It specifies a process for resource owners to authorize third-part access to their resources without sharing their credentials. OAuth facilitates fast and secure authentication and authorization for users to APIs, servers, devices and apps. It does this without sharing password information and instead uses access tokens to prove an identity, keeping user credentials safe.
![Supported OAuth 2.0 RFCs](/images/resources/architect/supported-rfcs-curity.png)
Supported OAuth 2.0 RFCs
OAuth related standards supported by the Curity Identity Server.
![Pushed Authorization Requests (PAR)](/images/resources/architect/oauth/pushed-authorization-requests-curity.png)
Pushed Authorization Requests (PAR)
What is PAR, and how does it help improve security for financial-grade APIs?
![Client Assertions and the JWKS URI](/images/resources/architect/oauth/client_assertions_jwks_uri-curity.png)
Client Assertions and the JWKS URI
Protecting APIs with strong security by requiring clients to authenticate using JWT client assertions
![Mutual TLS Sender Constrained Access Tokens](/images/resources/architect/mutual-mtls-sender-constrained-access-tokens-curity.png)
Mutual TLS Sender Constrained Access Tokens
Mutual TLS Sender Constrained Tokens add another security layer and mitigate the risk of misuse of tokens.
![Mutual TLS Client Authentication](/images/resources/architect/mutual-mtls-sender-constrained-access-tokens-curity.png)
Mutual TLS Client Authentication
What is Mutual TLS, and how does Client Authentication with Mutual TLS work?
![OAuth Revoke Flow](/images/resources/develop/oauth/revoking-tokens-curity.png)
OAuth Revoke Flow
The OAuth Revoke Flow Explained.
![OAuth Refresh](/images/resources/develop/oauth/refresh-token-curity.png)
OAuth Refresh
The OAuth Refresh Tokens and Flow Explained.
![OAuth Device Flow](/images/resources/develop/oauth-device-flow.png)
OAuth Device Flow
The OAuth Device Flow Explained.
![OAuth Resource Owner Password Credentials Flow](/images/resources/develop/resource-owner-password-credentials-flow-curity.png)
OAuth Resource Owner Password Credentials Flow
The OAuth Resource Owner Password Credentials Flow Explained.
![OAuth Client Credentials Flow](/images/resources/develop/client-credentials-flow-curity.png)
OAuth Client Credentials Flow
The OAuth Client Credentials Flow Explained.
![OAuth Token Exchange Flow](/images/resources/develop/oauth/token-exchange-flow.jpg)
OAuth Token Exchange Flow
OAuth 2.0 Token Exchange Explained.
![OAuth Implicit Flow | Curity](/images/resources/develop/implicit-flow-curity.png)
OAuth Implicit Flow | Curity
The OAuth Implicit flow explained.
![Demonstrating Proof of Possession Overview](/images/resources/architect/oauth/demonstration-of-proof-of-possession-curity.png?v=20230315)
Demonstrating Proof of Possession Overview
What is Demonstrating Proof of Possession (DPoP), and how can it be used to improve the security of public clients.
![OAuth Code Flow](/images/resources/develop/code-flow-curity.png)
OAuth Code Flow
The OAuth Code Flow Explained.
![Proof Key for Code Exchange Overview](/images/resources/architect/supported-rfcs-curity.png)
Proof Key for Code Exchange Overview
Learn how the Proof Key for Code Exchange (PKCE) should be used in the OAuth server.
![OAuth 2.0 Overview](/images/resources/develop/oauth2-curity.png)
OAuth 2.0 Overview
An overview of the OAuth 2.0 authorization framework, summarizing the roles of resource owner, client, resource server and authorization server.
How-tos
![Google Apigee API Management OAuth Proxy](/images/resources/tutorials/integration/tutorials-apigee.png)
Google Apigee API Management OAuth Proxy
An OAuth proxy module that runs in Google Apigee API Management, to translate secure cookies to access tokens
![OAuth Proxy for AWS API Gateway](/images/resources/code-examples/code-examples-aws.jpg)
OAuth Proxy for AWS API Gateway
An OAuth proxy that runs in AWS API Gateway, to translate secure cookies to access tokens
![OAuth Proxy for Azure API Management](/images/resources/code-examples/azure-oauth-proxy-apim-policy.jpg)
OAuth Proxy for Azure API Management
An OAuth proxy module that runs in Azure API Management, to translate secure cookies to access tokens
![NGINX OAuth Proxy Module](/images/resources/code-examples/code-examples-nginx.jpg)
NGINX OAuth Proxy Module
An OAuth proxy module that runs in the NGINX API gateway, to translate secure cookies to access tokens
![OpenResty OAuth Proxy Plugin](/images/resources/tutorials/integration/openresty.png)
OpenResty OAuth Proxy Plugin
An OAuth proxy module that runs in the OpenResty API gateway, to translate secure cookies to access tokens
![Kong OAuth Proxy Plugin](/images/resources/tutorials/integration/tutorials-kong.png)
Kong OAuth Proxy Plugin
An OAuth proxy module that runs in the Kong API gateway, to translate secure cookies to access tokens
![Device Authorization Grant](/images/resources/operate/tutorials/device-flow-howto.jpg)
Device Authorization Grant
The OAuth 2.0 Device Authorization Grant solves the problem of authenticating a user on a device that does not have user friendly input capabilities. Authentication instead takes place out-of-band on a different device.
![User Consent](/images/resources/tutorials/flows/user-consent.png)
User Consent
Handling user consent for claims
![Resource Owner Password Flow](/images/resources/tutorials/flows/resource-owner-password-credentials-flow.png)
Resource Owner Password Flow
This tutorial explains how to use the Resource Owner Password Credential Flow (ROPC) to obtain tokens from the Curity Identity Server
![Revoking OAuth Tokens](/images/resources/tutorials/flows/revoking-tokens.png)
Revoking OAuth Tokens
Learn how to revoke access and refresh tokens issued according to the OAuth standard
![Refresh Tokens](/images/resources/tutorials/flows/refresh-token.png)
Refresh Tokens
This tutorial explains how to issue Refresh Tokens in the Curity Identity Server, control their lifetime, include/exclude them for certain clients, and use them to get new access tokens
![Client Credentials Flow](/images/resources/tutorials/flows/client-credentials-flow.jpg)
Client Credentials Flow
OAuth has a flow called client credentials, that comes in handy when there are requests to your APIs that are not involving a user. Using the Client Credentials flow, it's possible to let servers communicate with your API without modifying the APIs themselves.
![Hybrid Flow](/images/resources/tutorials/flows/hybrid-flow.png)
Hybrid Flow
This tutorial explains how to obtain an OAuth access token using the hybrid flow. The guide includes step by step instructions for how to set it up and configure it in the Curity Identity Server.
![Implicit Flow](/images/resources/tutorials/flows/implicit-flow.png)
Implicit Flow
Using the OAuth 2.0 Implicit Flow
![Code Flow](/images/resources/tutorials/flows/oauth-code-flow-curity.png)
Code Flow
This tutorial explains how to obtain an OAuth access token using the code flow, a popular message exchange pattern used by server-based applications. The guide includes step by step instructions for how to set it up and configure it in the Curity Identity Server.