OAuth 2.0 Authorization Server - SSO

This page describes Ubisecure SSO support for the OAuth 2.0 authorization framework.
OAuth 2.0 messages involve credentials and access tokens that allow the bearer to retrieve protected resources. Use Transport Layer Security (TLS) to protect sensitive messages.

About OAuth 2.0 Support

OAuth 2.0 Authorization Framework (IETF, RFC 6749) enables a resource owner to grant a client application access to the owner's service.
Ubisecure SSO can function as an OAuth 2.0 Authorization Server. In this role, Ubisecure SSO authenticates resource owners and obtains their authorization in order to return access tokens to clients.
When using SSO as an OAuth 2.0 Authorization Server, you can register clients in the Ubisecure SSO Management Interface

OAuth 2.0 Authorization in WebSSO Use cases

Ubisecure SSO can function as an OAuth 2.0 Authorization Server to provide a WebSSO user experience for users accessing e-services using a Web browser. In such setups, the browser acts as the OAuth 2.0 Client.

The sequence diagram of the OAuth 2.0 Authorization in WebSSO Use cases is described in the page OAuth 2.0 API - SSO, - Authorization code grant and Web Single Sign-On.

OAuth 2.0 Authorization in Mobile Use cases

Ubisecure SSO can function as an OAuth 2.0 Authorization Server to provide Mobile users a secure access to e-services using a native mobile application, such as Google Android Apps, iOS apps on iPhones or Windows Mobile Apps. In such setups, the native mobile application acts as the OAuth 2.0 Client.

In a typical mobile use case example a user (resource owner) grants access to a mobile bank application (OAuth 2.0 Client) to access bank account information in the bank's e-banking server (OAuth 2.0 Resource Server).

The following flow diagram indicates the primary roles Ubisecure SSO can have in a OAuth 2.0 protocol mobile use case flow.

The exact sequence diagram of the OAuth 2.0 Authorization in Mobile Use cases is described in Authorization code grant and native applications - SSO.

OAuth 2.0 Authorization of Enterprise Account Users in API Security Use cases

Many e-services and content providers have information and data content which they want to offer their customers and partners through a secure API, to enable easy and secure consumption and aggregation of that data content into various 3^rd party e-services and applications and based on contractual relationships.

In such setups, the portal or e-service of the Enterprise Account Customer acts as the OAuth 2.0 Client, whereas the content provider e-service API is the OAuth 2.0 Resource Server.

In this use case the Enterprise Account Customers are authorized based on the System Account contractually issued to them, based on the business relationship between the Content Provider and the Enterprise Customer.

The sequence diagram of the OAuth 2.0 Authorization of Enterprise Account Users in API Security Use cases is described in page Password grant - SSO.

OAuth 2.0 Authorization of Individual Users in API Security Use cases

In many Internet use cases, some of the data to be presented to n authorized user resides in a backend-server, often provided by a 3^rd party. In these use cases data must be looked up from behind a backend API and the backend serve r and its content is accessed On Behalf of the Authorized User. This setup sometimes referred to as a three-legged OAuth 2.0 use case.

In such setups, the portal or e-service has a dual role: First, it acts as the OAuth 2.0 Resource Server for the OAuth 2.0 Client. Secondly, it also acts as a OAuth 2.0 Client whereas the backend content provider e-service API is the OAuth 2.0 Resource Server.

The sequence diagram of the OAuth 2.0 Authorization of Individual Users in API Security Use cases is described in page Password grant - SSO.