STANDARD
OAuth 2.0 — Primer
OAuth 2.0 is the framework for delegated authorization: clients obtain access tokens from an Authorization Server to call protected Resource Servers.
Why it matters
Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.
Where it’s enforced
- Gateway: pre‑execution gating (plan/schema pins, params/egress)
- Shield: inline budgets/stream caps/content checks
- PDP: decisions with constraints/obligations/TTL
- IdP: passports, token exchange, consent/DPoP
How it works (high level)
OAuth 2.0 (RFC 6749) issues Bearer tokens (RFC 6750) and optionally supports Token Introspection (RFC 7662). Errors MUST be conveyed via WWW-Authenticate with error and error_description. Introspection responses include active, scope, client_id, sub, aud, exp.
WWW-Authenticate: Bearer realm="api", error="insufficient_scope", error_description="..."Introspection
{ "active": true, "client_id": "abc", "sub": "user:1", "scope": "read", "aud": ["api://rs"], "exp": 1735689600 }