Difference between revisions of "Oauth"

From Logic Wiki
Jump to: navigation, search
(OAuth Server - Endpoints)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[Category:OAuth]]
 
[[Category:API]]
 
[[Category:API]]
 
[[Category:Web Services]]
 
[[Category:Web Services]]
 
+
Allows an application to access specific resources on behalf of a user
 +
<div style="float:right;">__TOC__</div>
 
[https://knpuniversity.com/screencast/oauth/intro#play https://knpuniversity.com/screencast/oauth/intro#play]
 
[https://knpuniversity.com/screencast/oauth/intro#play https://knpuniversity.com/screencast/oauth/intro#play]
  
Line 74: Line 76:
 
* code
 
* code
 
== Resource Server - Resource Endpoint ==
 
== Resource Server - Resource Endpoint ==
=== /api Authorization : Bearer {Access Token} ===
+
=== /api Authorisation : Bearer {Access Token} ===
 
Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and  Resource Owner Password Credentials Grant)
 
Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and  Resource Owner Password Credentials Grant)
 +
== Tokens ==
 +
* Access Token
 +
* Refresh Token (it's only for getting a new Access Token, cannot be used to access resources)
 +
* Authorisation Code it's valid for just few minutes. It's for getting Access Token. It can only be processed by OAuth Server it will never be sent to resource provider
 +
 +
== Credentials ==
 +
* Resource Owner Credentials
 +
* Client Credentials : ClientID & ClientSecret
 +
* Access Token
 +
* Refresh Token
 +
* Authorisation Code
 +
 +
== Client Registration ==
 +
* With OAuth Provider
 +
* Client porvides to OAuth Provider
 +
** Redirect URI
 +
** Required Scopes
 +
* Client obtains from OAuth Provider
 +
** ClientID
 +
** ClientSecret
 +
 +
== OAuth Flow ==
 +
[https://www.udemy.com/learn-oauth-2/learn/v4/t/lecture/3285520?start=0 Udemy Lesson]
 +
 +
[[File:OauthFlows.jpg|500px]]
 +
---------------
 +
[[File:OAUTH Flow 1.jpg|500px]]
 +
 +
[[File:OAUTH_Flow_2.jpg|500px]]
 +
 +
[[File:OAUTH_Flow_3.jpg|500px]]

Latest revision as of 09:26, 26 November 2025

Allows an application to access specific resources on behalf of a user

https://knpuniversity.com/screencast/oauth/intro#play

OAuth Actors

OAuth Provider

Based on 3 components

Authentication Provider

Username and Password

Consent Server

Which parts of system a client can access

Token Management Infrastructure

it keeps data like : Access token, refresh token, when it was created and when it's invalid, when it's revoked

Resource Provider

Makes a protected resource available via HTTP Protocol

ie : Twitter

Resource Server

  • Holds Resources
  • Protects resources
  • Makes resources available via API

Resource Owner

Owner of the protected resource.

  • Owns resources
  • Delegates right to access the resource to a third party app

ie : @aliiybar

Client

An application trying to access a protedted resource.

  • Wants to access resources
  • Gets and holds Access Token and Refresh Token
  • Should NOT hold password of Resource Owner
  • Identified via ClientID and Client Secret


ie : Mobile app

OAuth Server - Endpoints

/authorize GET

Input Query Parameters

  • state
  • scope
  • response_type
  • client_id
  • redirect_uri

Output

according to response_type the output is one of the items below

  • Authorization Code (for Authorization Code Grant)
  • Access Token (for Implicit Grant)

/token POST

Authorization : Basic clientId:clientSecret

Input Query Parameters

  • grant_type
  • code
  • client_id
  • redirect_uri

Output

  • Access Token and Refresh Token (for)
    • Authorization Code Grant,
    • Client Credentials Grant and
    • Resource Owner Password Credentials Grant

/verify - not standardized

only internally accessible by Resource Server

Client - Redirect Endpoints

Redirect URI (GET)

Input Query Parameter

  • state
  • scopes
  • code

Resource Server - Resource Endpoint

/api Authorisation : Bearer {Access Token}

Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and Resource Owner Password Credentials Grant)

Tokens

  • Access Token
  • Refresh Token (it's only for getting a new Access Token, cannot be used to access resources)
  • Authorisation Code it's valid for just few minutes. It's for getting Access Token. It can only be processed by OAuth Server it will never be sent to resource provider

Credentials

  • Resource Owner Credentials
  • Client Credentials : ClientID & ClientSecret
  • Access Token
  • Refresh Token
  • Authorisation Code

Client Registration

  • With OAuth Provider
  • Client porvides to OAuth Provider
    • Redirect URI
    • Required Scopes
  • Client obtains from OAuth Provider
    • ClientID
    • ClientSecret

OAuth Flow

Udemy Lesson

OauthFlows.jpg

OAUTH Flow 1.jpg

OAUTH Flow 2.jpg

OAUTH Flow 3.jpg

Retrieved from "http://logicwiki.co.uk/index.php?title=Oauth&oldid=2504"