OAuth 2.0 access management
Secure your APIs with access tokens
The Connect2id server can act as a fully fledged OAuth 2.0 server, for securing web APIs and other protected resources with access tokens.
All standard OAuth 2.0 grants, or flows, for obtaining access tokens are supported:
For traditional web apps as well as mobile / native clients
Resource owner password
For highly trusted clients or if other grant types are unavailable
For clients that act on their own behalf
For bridging two security domains
SAML 2.0 assertion
For SAML clients that need to obtain OAuth tokens
Bring your own policies
Security architects enjoy plenty of freedom with the Connect2id server:
- Apply arbitrary rules and security policies to each OAuth 2.0 grant. These may be implemented in any programming language, and are applied to the Connect2id server via its APIs (web or native).
- Authorisations can be short-lived (transient) or long-lived (persisted). The latter enable end-user consent to be remembered across token requests and login sessions.
- The issued access tokens can be self-contained (encoded as a signed or signed + encrypted JWT) or identifier-based (the authorisation is stored in a database and queried remotely by a key).
- Selected token scope values can be assigned implicitly.
- The lifetime of the issued ID, access and refresh tokens can be controlled for each individual application and end-user.
- Tokens may carry additional data.
Version 4 of the Connect2id server added support for special scenarios:
Impersonation — enables a privileged user to log into a client application under a different identity. May also extend to accessing protected protected resources (web APIs) as the impersonated identity and using their permissions.
Delegation — enables one user to act on behalf of another.
The Connect2id server provides web-based endpoints to manage the entire life cycle of a token:
- Token issue
- Token inspection
- Update of the associated scope and other details (for long-lived authorisations / refresh tokens)
- Token revocation
- Query long-lived authorisations per client or end-user
Support for distributed apps
Applications that are distributed within and across data centres are easily catered for by the Connect2id server. This is accomplished with self-contained access tokens (JWT) which take only a fraction of a millisecond to verify and clear the request.
Applications with limited / unreliable connectivity can also benefit from this approach.