Onegini Token Server

OAuth 2.0 and APIs

OAuth is becoming the standard for access management with RESTful APIs. OAuth has the advantage of being: lightweight, Universal access for web, mobile app or any other third party application. Unfortunately, OAuth can also be complex to set up, given the number of actors, token formats, transports, management, logging and security mechanisms, required. Especially handling all the user interactions requires a flexible architecture since the number of devices is growing rapidly.

Onegini Key components

The Onegini Token Server is product for managing authorizations of resource access compliant to the OAuth 2.0 standard. It can easily be plugged in to your current infrastructure and can cooperate with existing authentication services. The key components are:

Component     Description  
Core OAuth 2.0 spec compliant authorization server The core engine of the Onegini OAuth server is responsible for  token management
Monitoring and auditing To keep track of all events and to enable operators to analyze behavior.
Management console For administrators,  a complete dashboard is available
Management and user interface API End -user and management APIs enables to integrate Onegini functionality into you own systems.

Secure your APIs and meet Compliance

Protecting APIs against attacks is crucial these days. Onegini provides comprehensive API security and pre-built identity management integration. Onegini protects the APIs by managing tokens and preventing token abuse. Onegini also provides auditing and monitoring capabilities to support enterprises in being complaint.

Why is Onegini different?

Onegini is unique because it is a complete solution with a clear focus: protecting your enterprise APIs using OAuth. It can be easily integrated within your IT infrastructure. The software is easy to install and there is no coding needed. It is a stateless scalable engine, including administration and operational consoles.

The core purpose of the Onegini Token Server

The core of the Onegini Token Server is managing and protecting tokens. Long-lived tokens and identity information will be stored encrypted in the database. It contains access and refresh tokens including properties such as one time tokens, expiration date, number of times to be used, scope linking etc. Onegini architecture is an event-based engine and all events will be stored in multiple databases. Onegini’s search database enables real-time analysis of token abuse. Onegini supports the latest OAuth 2.0 spec including the required threat model. Both the spec and threat model will be monitored and applied throughout the lifecycle of the Onegini OAuth server.

Onegini is a security solution to manage authorizations of resource access complaint to the OAuth 2.0 standard. Onegini supports the latest standards and implements many of the security considerations proposed in the OAuth Threat Model. Some of the security considerations are: credential storage protection, bind tokens to a particular resource server, bind token to client, validation of pre-registered redirect_uri and binding of authorization code to a specific client.
SIEM Solution
A SIEM-tool correlates incidents and events from different resources and raises an alarm if an unexpected behavior occurs. Onegini can easily be integrated with existing SIEM solutions in order to track and trace the complete session. Onegini core is event-based and will log events in a database. Using our API, these events can be extracted. In order to correlate events of a certain request in the entire chain, a transaction id is used. Onegini has plug-ins for products such as WebSeal, Apache and others.
Prevent Token Abuse
Preventing token abuse is a complex process most organizations do not implement. Using Onegini, your company will benefit immediately from our unique technology created to prevent token abuse. Onegini logs all action events into our operations data store. The events logged are analyzed in real-time allowing our risk-based engine to trigger new actions, such as revoke tokens.
Onegini is easy to use for administrators. An administration dashboard will guide you through all tasks. Configuration, event logs, statistics, and user management. A number of different roles are supported so operators or help desk employees will have limited access. The configuration dashboard is a user interface where administrators can configure items such as applications, clients and scopes.

Dynamic Client Registration

Native applications running on mobile devices often pose a security thread since there is a lack of a trusted computing base. Onegini provides a mechanism to uniquely identify devices running native applications. This dynamic client registration process allows a client to register itself with the authorization server. Onegini will dynamically provision a client identifier and a client secret to be used by the client. Because Onegini can uniquely identify the different devices that are interacting with the server it can properly detect abuse and take appropriate action.

In addition the following security measures are supported:

  • Explicitly defined Scopes for Audience and Tokens
  • Configuration of Token time expiration and usage limitation
  • Security event auditing to allow to identify patterns and potential threats
  • Validating HTTP parameters, REST query/POST parameters
  • Protection against cross site scripting (XSS), SQL Injection
Management and end-user API

Onegini has an extensive management and end-user API which can be used by your own applications / clients. Onegini supports the following interfaces:

  • Token management end-user (list, revoke)
  • Device Management (list, revoke)
  • Consent management (list, revoke, notification types)
  • Client management (list, add, delete, update)
  • Scope management (list, add, delete, update)
Onegini Mobile Security Platform Brochure download button