May I use OAuth2 for non third-party applications?

Question

I need some help to understand my problem.

I'm studying a way to provide authentication for my applications.

My scenario: I've a set of APIs with restricted access and users that will be authenticated and authorized to consume these resources. I'm using Keycloak as Identity Management to authenticate/authorizing users. My services will be exposed using an API Gateway from public clients and externally.

Verifying the OAuth2 protocol I realized that the OAuth2 protocol provide only specifications for access from third-party applications, but I found one grant type called "Resource Owner Password Credentials Grant" that seems solve my problem.

My applications won't have any kind of granting access or communication with third party IDPs. In this scenario I have two questions:

Would OAuth+"Resource Owner Password Credentials Grant" the best option for authenticate my clients?

All my applications will accessed by API GW. The keycloak endpoint used to authenticate my clients need to be exposed in API GW or it could be a public endpoint?

Thanks.

What Authotrization model is implemented in your APIs? Are you using some 3rd party API Gateway or it is your own solution? — Bartosz Rosa, Apr 02 '20 at 11:38

score 0 · Answer 1 · answered Apr 05 '20 at 16:51

Shortly speaking ROPC grant type plus OAuth2 will resolve your problem but it is not recommended for such a solution. The ROPC was designed in OAuth2 to only support legacy applications where no code changes are possible to use the more modern grant types.

As far as I understand your solution, you have an API layer that is hidden by API Gateway (of your own design) and a Keycloak as Identity Server.

There is couple of possible approaches but what you could implement is like this. AS afar as I know Keycloak can be used also as Authorization Server, so it can issue the access tokens taht can be used to access your respources. The access token should be issued with a desired SCOPE which desribes what API can be accessed by client. Next, because your APIs are not possible to be accessed directly, the Relying Party is your API Gateway so any request to API is just a request to API Gateway. It means that API Gateway have to consume access token. As consuming access token I undersantd that if client is requesting the "API A" API Gateway checks if access token includes scope claim with value related to requested API (check introspection endpoint in OAuth2 specs). If it is true API gateway will passthrough the request. If not, it will stop the request.

The best practice here is to use the "authorization code" flow. Please check also Implicit flow but it is not recommended now.

In this solution your Keycloak endpoint should be the public one because your users have to authenticate against it.

Sorry, Whats the real problem to using ROPC for firsty-party applications? Until here in StackOverflow it is used. Even Medium and any other solutions. My guessing is that you are making an assumption without a knowledge base... And Auth Flow and Implicit flow are considered deprecated... — Simio, Apr 06 '20 at 17:16
Well, no real problem. Just it is not recommended. Purpose is different than the problem you want to solve. — Bartosz Rosa, Apr 06 '20 at 18:54
Authorization code with PKCE is not considered as deprecated. Implicit flow is not recommended but is also not considered as deprecated. It is all depended on your threat analysis. — Bartosz Rosa, Apr 06 '20 at 19:03

May I use OAuth2 for non third-party applications?

1 Answers1