2-Legged OAuth using DataPower

DataPower provides support for Client Credential (client_credentials) grant type authorization specified under OAuth 2.0 specification. Under this specification, client hits OAuth token endpoint with client_secret & client_id and get access token.  Later access token goes along with request to resource server for authorization. Unlike the other grant types defined in OAuth 2.0, client credentials does not require authentication, and therefore does not require resource owner to enter authentication information. In this case, client has resource owner credential or work as resource owner itself.

This type of flow mostly used mostly for trusted clients or internal applications because unlike 3-legged architecture, client works as resource owner and need not to authenticate itself.

The flow is shown in picture below explain OAuth 2-legged architecture

Obtaining Access Token OAuth using DataPower Web Token Service

The client presents its client credentials (client_secret & client_id) to the Web Token Service configured as token endpoint, requesting a resource. Web Token Service server authenticates the client using provided client credentials and issues an access token (the approval).

Pass Token to Resource Server via PEP (Policy Enforcement Point) 

The client presents the access token to the resource server via DataPower working as Enforcement Point, requesting access to the protected resource. DataPower validates the access token and returns the resource back to the client.