Security · AMP
Securing Liferay Headless REST APIs with OAuth2
Secure Liferay headless APIs by navigating to System Settings > OAuth2 Administration. Register client applications, choose appropriate authorization flows (Authorization Code or Client Credentials), define specific scopes, and force OAuth2 tokens on all endpoints.
Registering Client Applications
Navigate to OAuth2 Administration in the control panel. Create a profile, set client names, and specify redirection URIs. Liferay will generate a Client ID and Client Secret, which your custom applications will use to request access tokens.
How Do You Define Security Scopes for Headless Access?
Direct Answer: Assign specific permission scopes to client profiles, restricting client operations to specific entities (like read-only blogs access).
Apply the principle of least privilege. Under Scopes, select only the services your app requires (e.g.,
read access on headless-delivery/structured-content). This ensures a compromised API key
cannot access directory schemas or configuration tools.
Applying granular scopes prevents compromised API clients from accessing sensitive user tables or executing admin configurations.
Authenticating API Queries
Clients request tokens by sending credentials to Liferay's token endpoint. Include the returned token in authorization headers for REST or GraphQL queries:
# Authenticating REST requests using cURL
curl -H "Authorization: Bearer [access_token]" https://liferayx.com/o/headless-delivery/v1.0/sites/20124/structured-contents
Frequently asked questions
What OAuth2 flows does Liferay support?
Liferay DXP 7.4 supports Authorization Code (for web apps), Client Credentials (for backend microservices), and Resource Owner Password Credentials (for trusted legacy systems).
How do we refresh tokens?
Enable refresh tokens in the OAuth2 profile settings. Clients can request fresh access tokens without requiring users to log in again.
Read the full article, with table of contents, comparison table, and author bio →