Difference between revisions of "Oauth"

Revision as of 09:47, 15 February 2019

https://knpuniversity.com/screencast/oauth/intro#play

OAuth Actors

OAuth Provider

Based on 3 components

Authentication Provider

Username and Password

Consent Server

Which parts of system a client can access

Token Management Infrastructure

it keeps data like : Access token, refresh token, when it was created and when it's invalid, when it's revoked

Resource Provider

Makes a protected resource available via HTTP Protocol

ie : Twitter

Resource Server

• Holds Resources
• Protects resources
• Makes resources available via API

Resource Owner

Owner of the protected resource.

• Owns resources
• Delegates right to access the resource to a third party app

ie : @aliiybar

Client

An application trying to access a protedted resource.

• Wants to access resources
• Gets and holds Access Token and Refresh Token
• Should NOT hold password of Resource Owner
• Identified via ClientID and Client Secret

ie : Mobile app

OAuth Server - Endpoints

/authorize GET

Input Query Parameters

• state
• scope
• response_type
• client_id
• redirect_uri

Output

according to response_type the output is one of the items below

• Authorization Code (for Authorization Code Grant)
• Access Token (for Implicit Grant)

/token POST

Authorization : Basic clientId:clientSecret

Input Query Parameters

• grant_type
• code
• client_id
• redirect_uri

Output

• Access Token and Refresh Token (for)
  • Authorization Code Grant,
  • Client Credentials Grant and
  • Resource Owner Password Credentials Grant

/verify - not standardized

only internally accessible by Resource Server

Client - Redirect Endpoints

Redirect URI (GET)

Input Query Parameter

• state
• scopes
• code

Resource Server - Resource Endpoint

/api Authorization : Bearer {Access Token}

Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and Resource Owner Password Credentials Grant)