Formação e treinamento

Serviços e suporte



{{search ? 'Fechar':'Pesquisar'}}


Enable mobile apps, cloud services and partners to connect to backend APIs using social and enterprise identities.

Related Videos

Add OAuth-based access control to enterprise APIs.

OAuth is the industry-standard protocol for access control across the Web, cloud services and mobile apps. It is not an API or a service, but an open standard for authorization, and any developer can implement it. OAuth supports authorization workflows—giving you a way to ensure specific users have permissions to do something.


But applying OAuth can be a complex process, with a steep learning curve for enterprise architects and application developers alike. CA API Gateway and CA Mobile API Gateway provide the OAuth Toolkit as a pre-integrated component, making it simple to add OAuth-based access control to enterprise resources exposed via APIs for reuse in Web and mobile apps.  Among other use cases, this allows CA API Gateway to act as an OAuth Server for CA Microgateway implementations.


The OAuth Toolkit supports the OAuth standards as well as JWT (JSON Web Token) bearer tokens and a range of extension grant types. Optional HMAC or RSA signatures are supported for maximum interoperability. OpenID Connect is fully supported with the OAuth Toolkit, including OpenID Certifications for Basic, Config, Implicit, and Hybrid profiles.

Click to watch video

How does OAuth work?

Social media such as Facebook and Twitter have been the largest early adopters of OAuth, owing much of their success to being platforms that encourage integration with other applications. The integration points are RESTful APIs that typically use OAuth as a means of authentication, authorization and binding together of different personal accounts. You probably have separate accounts on both of these social media powerhouses. So, how can you set things up so that your tweets show up instantly on your Facebook wall?

In the past, you would probably have had to store your Facebook username and password in your Twitter profile. This way, whenever you published a new tweet, the Twitter application could sign on for you to cross‐post it onto Facebook. This approach has come to be called the password anti‐pattern and it is a bad idea for a number of reasons. Entrusting Twitter with your Facebook password simply gives this application too much power. If a hacker was to compromise the site or an internal administrator went rogue, they could leverage your plain text password to post damaging pictures, lock you out of Facebook or even delete your entire account.  Fortunately, they both use OAuth to overcome this challenge. OAuth provides a delegated authorization model permitting Twitter to post on your wall-but nothing else. 

From their Twitter settings panel, a user clicks on a button that transfers them to Facebook, where they can sign in, creating an association between this user's two separate accounts without any involvement from Facebook or Twitter security administrators. Once authenticated on Facebook, the user undergoes a consent ceremony, where they can choose the subset of privileges they want to grant to Twitter to permit the application to perform actions on their behalf. Finally, the user returns automatically to Twitter, where they can resume posting tweets, which now appear on their Facebook wall as well. The relationship they have set up persists indefinitely or until they decide to break it explicitly, using controls found on the settings page.

OAuth Toolkit Key Features

Support for both two- and three-legged OAuth implementations

HMAC and RSA signature methods plus SHA-1, SHA-256 and SHA-512 encryption

Flexible deployment and easy upgrading to the latest OAuth version

Integrated SAML Security Token Service (STS) for managing cross-domain security

OAuth Essentials

Get the knowledge you will need in order to address the complex challenges associated with implementing OAuth and managing an OAuth provider in the 5 OAuth Essentials for API Access Control eBook.

Key Benefits of OAuth Toolkit

Abstract complex OAuth procedures in order to simplify the addition of standards-compliant access management functionality to API-based client applications.

Implement browser-based single sign-on (SSO) functionality for federating on-premises identities to Web-based applications and cloud services.

Add strong but user-friendly login security to mobile apps that access backend enterprise resources.

Read more customer success stories.


The developer zone at CA Technologies is a technical place to hang out and chat with other developers as well as pull down the latest and greatest tools to design, develop, secure and manage microservices and APIs.


Troubleshoot technical issues, browse the latest product documentation and access support announcements.


Find answers and share knowledge with your peers in interactive forums.

OAuth Toolkit Resources

Click to watch video
Click to watch video
Click to watch video

Fale com a CA