Create an API resource
To secure your backend APIs and web services, first you must create a resource in your tenant. For registration you can provide an API endpoint or an API identifier. API Endpoint can be your resource server's canonical URL or API gateway URL. Alternatively, you can use a unique identifier for you API resource.
Create resource permissions
- After user authorization, the Client application will obtain tokens (id token and access token) from authorization server.
- Next, the client should make API requests to the resource server with the bearer access token as the authorization header in every API request.
- Resource server will first validated the token according to steps described below,
- Resource server backend will get the public portion of the keys used for signing access tokens from tenant's JWKS endpoint
- As best practice the resource server can cache response from JWKS endpoint, i.e. list of public keys for a short period (
- Next, the resource server will validate the access token signature using the public key and the algorithm used to sign the access token payload. If the token is invalid, it will raise the HTTP
- Next, the resource server will validate if it is the intended recipient of the token, by checking if the
audclaim includes API endpoint or identifier. If the resource server is not intended recipient, it will raise the HTTP
- Next, the resource server will validate
permissionsclaims embedded in the token to ensure that the token bearer has the correct level of access. If a token has insufficient rights to a resource or does not match with the requirements of specific API action, it will raise a HTTP
- Finally, if all previous validations and checks are are successful the resource server should return a response with HTTP status code
- If the resource server return a successful response (HTTP status code
200), then the Client should process the returned data and display the user.
- If the resource server raises an unauthorized error (HTTP status code
401), then the client should
interceptthe error and try to obtain a new token from the authorization server.
- If the resource server raises a forbidden error (HTTP status code
403), then the client should display the return error to the user.
access token as
header in every
API request; R-->>J: Get Public Keys; J-->>R: RSA and EC Keys; loop Validate Token; R->>R: Validate token signature using public
key and algorithm used to sign the token; R->>R: Check if token audience (aud) claim
includes API endpoint or identifier for API; R->>R: Validate scope, roles and permissions
embedded in the access token; end rect rgb(238, 244, 255); alt token is valid; R->>C: Successful Response, 200; else token is invalid; R->>C: Unauthorized Error, 401; else insufficient rights; R->>C: Forbidden Error, 403; end end