With the growing exposure of digital services and assets through application programming interfaces (APIs) and the emergence of the API Economy, entire business models are starting to be built around APIs. Increasingly, APIs are designed to be used externally as part of an organisation’s service delivery model.
The adoption of the OAuth protocol has allowed consumer-to-business (C2B) integrations to authorise access to APIs in a standardised way. However, business-to-business (B2B) integrations using OAuth are now rapidly growing, and as API ecosystems become more complex, there is an urgent need for further standardisation. Although OAuth supports direct B2B integration, there is no standard way to implement delegated B2B authorisation because OAuth delegation was primarily designed for C2B integration where the resource owner is an individual consumer.
There are use cases where, for an online business to provide services to their customers, they need authorised access to resources owned by the customer organisation at third-party resource providers.
In this session, we will explore how OAuth and its extensions, such as rich authorisation requests and token exchange grant types, can be used to allow a resource owner client to dynamically delegate access to its resources to another client using delegated B2B authorisation.
The presentation will cover the following topics:
- Business use case for B2B delegated authorisation
- Brief overview of the OAuth 2.0 protocol
- Proposed enhancements to the OAuth 2.0 standard to achieve interoperable B2B delegated authorisation
- Security considerations