oAuth2.0 is a standard authorization protocol. According to the official definition
The OAuth2.0 authorization framework enables third party application to obtain limited access to HTTP service, either on behalf of the resource owner or by orchestrating an approval process between the resource owner and the HTTP service, or by allowing the third party application to obtain access on its own behalf.
Some important terms associated with OAuth2.0
1. Roles
* Resource Owner: An entity capable of granting access to protected resource.
* Resource Server: The server hosting the protected resource
* Client: Application trying to access protected resource.
* Authorization server: The server issuing access token after successful authentication.
2. There are four type of grant.
* authorization code
* implicit
* resource owner credentials(username/password)
* client credentials
3. OAuth2 token
* Access Token: Sent with each request, short live
* Refresh Token: Used to generate access token. Long lfe.
4.Access token scope: Scope showing what access rights were actually granted to the client
Type of grant are important as they dictate the flow in OAuth2.0
1.Authorization Code Grant:
This type of grant is used to receive both access token and refresh token. This is a redirection based flow so
A.Client must be capable of interacting with resource owner with user-agent such as web browser
B.Client should be capable of receiving incoming request from authorization server
Steps
1. Client initiates the flow through client agent(web browser) to authorization server. Information from client sent are client Id, request scope, local state, redirection uri.
2. Authentication server authenticate with resource owner who uses user-agent to approve or deny access.
3. If resource owner grant the access, authorization server uses the redirect uri to send back authorization code and any local state to the client.
4. Client retrieve the authorization code from the redirect uri and request for access token.
5. Authentication server validates all the information sent by client and if everything is as expected send back the access token and optionally refresh token.
2.Implicit Grant
Implicit Grant has following characteristic
A. We have user-agent based clients such as Single Page Application that cannot keep the client secret because all the code is accessible
B. Instead of authorization server returning authorization code, it return access token and also no refresh token is returned
Steps
1. Client initiates the flow through client agent(web browser) to authorization server. Information from client sent are client Id, request scope, local state, redirection uri.
2. Authentication server authenticate with resource owner who uses user-agent to approve or deny access.
1.Authentication server send access token in redirection uri in fragment to client agent
2.The user-agent follows the redirection instructions by making a request to the web-hosted client resource
3.The web-hosted client resource returns a web page capable of access full redirection uri for extracting the access token
4.Script is executed in the client agent to extract access token
5.Access token is passed to client application.
3.Resource username/password
This type of grant is applicable when there is trust relationship between resource owner and client. This happens when client have access to username/password of the resource owner.
4.Client Credentials
This type of grant is useful when client has control on the resource it is trying to access.Client receive the access token directly from the authentication server
The OAuth2.0 authorization framework enables third party application to obtain limited access to HTTP service, either on behalf of the resource owner or by orchestrating an approval process between the resource owner and the HTTP service, or by allowing the third party application to obtain access on its own behalf.
Some important terms associated with OAuth2.0
1. Roles
* Resource Owner: An entity capable of granting access to protected resource.
* Resource Server: The server hosting the protected resource
* Client: Application trying to access protected resource.
* Authorization server: The server issuing access token after successful authentication.
2. There are four type of grant.
* authorization code
* implicit
* resource owner credentials(username/password)
* client credentials
3. OAuth2 token
* Access Token: Sent with each request, short live
* Refresh Token: Used to generate access token. Long lfe.
4.Access token scope: Scope showing what access rights were actually granted to the client
Type of grant are important as they dictate the flow in OAuth2.0
1.Authorization Code Grant:
This type of grant is used to receive both access token and refresh token. This is a redirection based flow so
A.Client must be capable of interacting with resource owner with user-agent such as web browser
B.Client should be capable of receiving incoming request from authorization server
Steps
1. Client initiates the flow through client agent(web browser) to authorization server. Information from client sent are client Id, request scope, local state, redirection uri.
2. Authentication server authenticate with resource owner who uses user-agent to approve or deny access.
3. If resource owner grant the access, authorization server uses the redirect uri to send back authorization code and any local state to the client.
4. Client retrieve the authorization code from the redirect uri and request for access token.
5. Authentication server validates all the information sent by client and if everything is as expected send back the access token and optionally refresh token.
2.Implicit Grant
Implicit Grant has following characteristic
A. We have user-agent based clients such as Single Page Application that cannot keep the client secret because all the code is accessible
B. Instead of authorization server returning authorization code, it return access token and also no refresh token is returned
Steps
1. Client initiates the flow through client agent(web browser) to authorization server. Information from client sent are client Id, request scope, local state, redirection uri.
2. Authentication server authenticate with resource owner who uses user-agent to approve or deny access.
1.Authentication server send access token in redirection uri in fragment to client agent
2.The user-agent follows the redirection instructions by making a request to the web-hosted client resource
3.The web-hosted client resource returns a web page capable of access full redirection uri for extracting the access token
4.Script is executed in the client agent to extract access token
5.Access token is passed to client application.
3.Resource username/password
This type of grant is applicable when there is trust relationship between resource owner and client. This happens when client have access to username/password of the resource owner.
4.Client Credentials
This type of grant is useful when client has control on the resource it is trying to access.Client receive the access token directly from the authentication server
.jpeg){kind=spacer}