Quick Summary & Main Answer

Main Answer: Liferay OAuth2 secures headless REST and GraphQL API endpoints, authorizing external clients and restricting data access using custom scopes.

Audience: Security coordinators, API developers, and headless integrations engineers.

Applicable Use Cases: Securing headless mobile apps, authorizing third-party API clients, and protecting custom object data transfers.

Securing Liferay Headless REST APIs with OAuth2
LiferayX Category Reference Guide cover illustration for Securing Liferay Headless REST APIs with OAuth2.
OAuth2 Grant Type Authentication Step Recommended Use Case
Authorization Code User log-in flow redirection Decoupled web portal frontends (React/Next.js)
Client Credentials Direct client keys validation Backend server-to-server data sync scripts
Refresh Token Validates existing session keys Extending access validity in mobile portal apps

Registering Client Applications

Navigate to OAuth2 Administration in the control panel. Create a profile, set client names, and specify redirection URIs. Liferay will generate a Client ID and Client Secret, which your custom applications will use to request access tokens.

How Do You Define Security Scopes for Headless Access?

Direct Answer: Assign specific permission scopes to client profiles, restricting client operations to specific entities (like read-only blogs access).

Apply the principle of least privilege. Under Scopes, select only the services your app requires (e.g., read access on headless-delivery/structured-content). This ensures a compromised API key cannot access directory schemas or configuration tools.

For additional optimization strategies, visit our detailed Liferay DXP developer blog listing. For configuration specifications, consult the official Liferay Documentation portal.

Applying granular scopes prevents compromised API clients from accessing sensitive user tables or executing admin configurations.

Authenticating API Queries

Clients request tokens by sending credentials to Liferay's token endpoint. Include the returned token in authorization headers for REST or GraphQL queries:

# Authenticating REST requests using cURL
curl -H "Authorization: Bearer [access_token]" https://liferayx.com/o/headless-delivery/v1.0/sites/20124/structured-contents

Frequently Asked Questions

What OAuth2 flows does Liferay support?

Liferay DXP 7.4 supports Authorization Code (for web apps), Client Credentials (for backend microservices), and Resource Owner Password Credentials (for trusted legacy systems).

How do we refresh tokens?

Enable refresh tokens in the OAuth2 profile settings. Clients can request fresh access tokens without requiring users to log in again.

Security OAuth2 API
Portrait of Ankita Varani

Written by Ankita Varani

Ankita Varani is a certified Liferay Solutions Architect with 12+ years of experience in enterprise portal migrations and decoupled system designs.