Documentation Center

Content Delivery OAuth authentication framework

Content Delivery components are preconfigured for OAuth authentication by default when you install them. However, if you want to grant affiliate websites or other third-party software components the ability to interact securely with the Content Delivery microservices, those external software components must create a connection to the Content Delivery services manually.

The following diagram shows the authentication framework as it should be used by a third-party website:

  • An SDL Tridion Sites administrator creates and manages client accounts for affiliate websites. Such accounts consists of a client ID (username) and a client secret (password), and may also include a set of named parameters called authorization attributes. They are configured in the Ambient Data Framework configuration of the Discovery Service.
  • The SDL Tridion Sites administrator communicates the account information to the administrator of an affiliate website in person (for example, by e-mail or over the phone), as well as the URLs of the Token Service and of the Discovery Service.
  • To connect to the secure web service or website, a web application on the affiliate website first sends a request to the Token Service, supplying the client ID and client secret:
    • The client ID is supplied as a query parameter to the URL called client_id.
    • The client secret is supplied (in encrypted form) as a query parameter called client_secret.

    If the credentials are valid, the Token Service sends back an HTTP response containing an access token and the token's expiration time.

  • The affiliate website then extracts the token from the response and, when sending HTTP requests to the web service or website, sets the HTTP header called Authorization to the value Bearer TOKEN, where TOKEN is the token received. To validate these incoming requests, use a request validator. SDL Tridion Sites ships with a built-in request validator that implements OAuth 2.0, but you can replace it with your own by changing the value of the RequestValidator element (a fully qualified Java class name) in the Ambient Data Framework configuration.
  • In SDL Tridion Sites's OAuth implementation, two parameters are shared between the Token Service and the request validator: the shared secret and the token expiration time. If you provide your own request validator, you can provide your own parameters.