Securing ZIA APIs with OAuth 2.0
Introduction
Zscaler Internet Access (ZIA) supports OAuth 2.0 authentication to securely access its cloud service API. OAuth 2.0 allows third-party applications to use access tokens instead of usernames and passwords to access protected resources. ZIA uses the Client Credentials OAuth flow, where applications get access tokens using their credentials, without needing a user login. ZIA supports OAuth 2.0 with PingFederate, Okta, and Microsoft Entra ID (formerly Azure AD).
Why Use OAuth 2.0?
OAuth 2.0 has several advantages over traditional authentication methods like API keys or admin credentials:
Better Security: Uses dynamic, time-bound access tokens instead of fixed credentials.
Limits Credential Exposure: Unlike API keys, OAuth does not require admin credentials.
Granular Access Control: Uses API Roles to control access instead of linking permissions to admin users.
Less Maintenance: No need to manually hide credentials in the code, unlike API keys.
Note: OAuth 2.0 authentication is available only for Zscaler cloud service APIs.
Key Concepts of OAuth 2.0
Before using OAuth 2.0, it's important to understand some key terms:
Resource Server: The system that stores protected resources (e.g., Zscaler cloud API).
Authorization Server: The identity provider that verifies requests and issues access tokens.
Client: The application that requests access to resources using an access token.
Access Token: A credential (JWT) used by the client to access the API.
Grant Type: The method used to get an access token. ZIA uses Client Credentials Grant.
Scope: Defines what actions a client application is allowed to perform. In Zscaler, scopes are mapped to API Roles.
OAuth 2.0 Flow in Zscaler
ZIA follows the Client Credentials OAuth flow, meaning clients can access APIs without user involvement. Here’s how it works:
Client requests an access token
The registered client application sends an authorization request to the authorization server with its client ID and client secret.
The request also includes the required scope and grant type.
Authorization server issues an access token
If the client's credentials are valid, the authorization server provides a JWT access token.
The token includes details like the token type (Bearer) and expiration time.
Client sends an API request with the access token
The client includes the access token in the authorization header of the API request.
Zscaler verifies the access token and grants access
Zscaler checks the JWT token, verifies its signature, and extracts details like scope, client ID, and expiration.
If the scope (API Role) matches an allowed role, the request is approved.
Otherwise, the request is rejected.
Setting Up OAuth 2.0 for ZIA APIs
To use OAuth 2.0 authentication, follow these steps:
Configure API Roles in the ZIA Admin Portal
Define API Roles that specify what API actions each client can perform.
Register Applications in the Identity Provider (Okta, PingFederate, Entra ID)
Create an OAuth client in the external identity provider and get the client ID and client secret.
Add OAuth 2.0 Authorization Servers in the ZIA Admin Portal
Configure the external identity provider to work with ZIA’s OAuth service.
Note: API requests authenticated with OAuth 2.0 are logged under an auto-generated Admin ID in the format: oauth-<rolename>$@<orgid>.<cloud_domain>.
Conclusion
Using OAuth 2.0 for ZIA APIs provides a secure, flexible, and scalable way to authenticate API requests. It ensures that access is controlled through API Roles, reduces credential exposure, and eliminates the need for admin credentials in API calls. Following the setup steps ensures your ZIA API integrations are secure and properly configured.
For more Articles visit our website- https://techclick.in