oauth2-jwt
OAuth 2.0 JSON Web Token flow, commonly known as "two-legged OAuth 2.0"
See: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-12
Code
client
- Designed to be used with clients interacting with APIs externally
integration
- end to end integration test of oauth workflow
server
- resources for support authorization-grant
endpoint
edge
- library for edge services to validate requests
store
- backing store for long live key storage
Using OAuth 2.0 to Access Formation APIs
Basic Steps
Related google oauth 2.0 flow
-
Obtain OAuth 2.0 Credentials from the console
-
Obtain an access token from the Formation Authorization Server.
-
Send the access token to an API.
-
Refresh the access token, if necessary.
Detailed Steps
1. Obtain OAuth 2.0 Credentials from the console
see UI documentation
2. Obtain an access token from the Formation Authorization Server.
Preparing to make an authorized API call
Related google documentation
-
Obtain the client ID and private key from the console
-
Create a JSON Web Token which includes a header, a claim set, and a signature.
-
Request an access token from the Formation OAuth 2.0 Authorization Server.
-
Handle the JSON response that the Authorization Server returns.
3. Send the access token to an API.
Calling APIs
Related google documentation
Include the access token in a request to the API by including an Authorization
HTTP header Bearer
value.
curl
example
curl -H "Authorization: Bearer access_token" $ENDPOINT
4. Refresh the access token, if necessary.
Access tokens issued by the Formation OAuth 2.0 Authorization Server after the duration provided by the expires_in value. When an access token expires, then the application should generate another JWT, sign it, and request another access token.
Standards
Will be implemented with ietf standards.
-
OAuth2 2.0 Protocol - rfc6749
-
Granting short lived bearer tokens (AuthZ scoping) - rfc7523#section-2.1
-
JWT format and signature - rfc7519
-
Claims defined by OAuth2 JWT Profile - rfc7523
-
Server validation of signed request - rfc7523#section-3
Follows the OAuth2 2.0 flow.
-
https://developers.google.com/identity/protocols/oauth2#serviceaccount
-
https://developers.google.com/identity/protocols/oauth2/service-account#httprest
Setup environment
go run ./util server-bootstrap
Store in secrets manager: <env>/private-key
Store public key for edge services
echo '<public-key>' | base64 -w 0