Content Delivery OAuth authentication framework

Use the Content Delivery authentication framework to enable affiliate Web sites to interact securely with your published, SDL Tridion-based Web site, and with the Content Delivery Web service.

The following diagram shows the authentication framework:

  • An SDL Tridion administrator creates and manages client accounts for affiliate Web sites. Such accounts consists of a client ID (username) and a client secret (password), and may also include a set of named parameters called authorization attributes. They are configured in the Content Delivery Web service configuration.
  • The SDL Tridion administrator communicates the account information to the administrator of an affiliate Web site in person (for example, by e-mail or over the phone), as well as the URLs of the secure token service and of the Content Delivery Web service or Web site.
  • To connect to the secure Web service or Web site, a Web application on the affiliate Web site first sends a request to a secure token service, supplying the client ID and client secret:

    • The client ID is supplied as a query parameter to the URL called client_id.
    • The client secret is supplied as a query parameter called client_secret.

    If the credentials are valid, the secure token service sends back an HTTP response containing an access token and the token's expiration time.

  • The affiliate Web site then extracts the token from the response and, when sending HTTP requests to the Web service or Web site, sets the HTTP header called Authorization to this value. To validate these incoming requests, use a request validator. SDL Tridion ships with a built-in request validator that implements OAuth 2.0, but you can replace it with your own by changing the value of the RequestValidator element (a fully qualified Java class name) in the Ambient Data Framework configuration.
  • In SDL Tridion's OAuth implementation, two parameters are shared between the secure token service and the request validator: the shared secret and the token expiration time. If you provide your own request validator, you can provide your own parameters.