Main Answer: Liferay OAuth2 secures headless REST and GraphQL API endpoints, authorizing external clients and restricting data access using custom scopes.
Audience: Security coordinators, API developers, and headless integrations engineers.
Applicable Use Cases: Securing headless mobile apps, authorizing third-party API clients, and protecting custom object data transfers.
| OAuth2 Grant Type | Authentication Step | Recommended Use Case |
|---|---|---|
| Authorization Code | User log-in flow redirection | Decoupled web portal frontends (React/Next.js) |
| Client Credentials | Direct client keys validation | Backend server-to-server data sync scripts |
| Refresh Token | Validates existing session keys | Extending access validity in mobile portal apps |
Registering Client Applications
Navigate to OAuth2 Administration in the control panel. Create a profile, set client names, and specify redirection URIs. Liferay will generate a Client ID and Client Secret, which your custom applications will use to request access tokens.
How Do You Define Security Scopes for Headless Access?
Direct Answer: Assign specific permission scopes to client profiles, restricting client operations to specific entities (like read-only blogs access).
Apply the principle of least privilege. Under Scopes, select only the services your app requires (e.g.,
read access on headless-delivery/structured-content). This ensures a compromised API
key cannot access directory schemas or configuration tools.
Applying granular scopes prevents compromised API clients from accessing sensitive user tables or executing admin configurations.
Authenticating API Queries
Clients request tokens by sending credentials to Liferay's token endpoint. Include the returned token in authorization headers for REST or GraphQL queries:
# Authenticating REST requests using cURL
curl -H "Authorization: Bearer [access_token]" https://liferayx.com/o/headless-delivery/v1.0/sites/20124/structured-contents
Frequently Asked Questions
What OAuth2 flows does Liferay support?
Liferay DXP 7.4 supports Authorization Code (for web apps), Client Credentials (for backend microservices), and Resource Owner Password Credentials (for trusted legacy systems).
How do we refresh tokens?
Enable refresh tokens in the OAuth2 profile settings. Clients can request fresh access tokens without requiring users to log in again.