OAUTH2 Shared Component Overview

The following image introduces all components involved.

• At the center of everything the AWS Lambda Function (uses NodeJS 8.1 runtime)
• On the top the Palo Alto Networks Identity Manager (the entity that will issue access tokens using OAUTH2 flows) and the Secret Store (AWS Secrets Manager)
• On the bottom a database to store user accounts, long-term access tokens and revocation information (AWS Dynamo DB)
• On the left the end-user browser and the Palo Alto Networks Cloud Apps Portal
• On the right the Application Framework API's and the script / single-tenant application willing to interface with the end user's data stored there

Once registered in the portal (Manifest File registration) the end user will be able to 1) activate the application into his tenant (mapping the corresponding Logging Service and Directory Service instances) and 2) access to the application through a basic browser redirection from the portal.

At that point the end user will ready to trigger the OAUTH2 Code Grant flow to allow the OAUTH2 Shared Component retrieve the Application Framework API access_token and refresh_token for that unique instance.

The end user is enabled to issue/revoke/delete long-term tokens he can distribute to software entities willing to access Application Framework data with the previous issued grant.

These software entities can use the long-term token they have been provided with to interface with the OAUTH2 Shared Component backend API to requests the corresponding Application Framework Access Token or to request it to be refreshed.