Difference between revisions of "Oauth"
From Logic Wiki
m (1 revision imported) |
|||
| Line 3: | Line 3: | ||
[https://knpuniversity.com/screencast/oauth/intro#play https://knpuniversity.com/screencast/oauth/intro#play] | [https://knpuniversity.com/screencast/oauth/intro#play https://knpuniversity.com/screencast/oauth/intro#play] | ||
| + | |||
| + | == OAuth Actors == | ||
| + | === OAuth Provider === | ||
| + | Based on 3 components | ||
| + | ==== Authentication Provider ==== | ||
| + | Username and Password | ||
| + | ==== Consent Server ==== | ||
| + | Which parts of system a client can access | ||
| + | ==== Token Management Infrastructure ==== | ||
| + | it keeps data like : Access token, refresh token, when it was created and when it's invalid, when it's revoked | ||
| + | |||
| + | === Resource Provider === | ||
| + | Makes a protected resource available via HTTP Protocol | ||
| + | |||
| + | ie : Twitter | ||
| + | ==== Resource Server ==== | ||
| + | * Holds Resources | ||
| + | * Protects resources | ||
| + | * Makes resources available via API | ||
| + | === Resource Owner === | ||
| + | Owner of the protected resource. | ||
| + | |||
| + | * Owns resources | ||
| + | * Delegates right to access the resource to a third party app | ||
| + | |||
| + | ie : @aliiybar | ||
| + | === Client === | ||
| + | An application trying to access a protedted resource. | ||
| + | * Wants to access resources | ||
| + | * Gets and holds '''Access Token''' and '''Refresh Token''' | ||
| + | * Should NOT hold password of Resource Owner | ||
| + | * Identified via ClientID and Client Secret | ||
| + | |||
| + | |||
| + | ie : Mobile app | ||
| + | |||
| + | == OAuth Server - Endpoints == | ||
| + | === /authorize GET === | ||
| + | * Authorization Code (for Authorization Code Grant) | ||
| + | * Access Token (for Implicit Grant) | ||
| + | === /token POST === | ||
| + | Authorization : Basic clientId:clientSecret | ||
| + | |||
| + | Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and Resource Owner Password Credentials Grant) | ||
| + | === /verify - not standardized === | ||
| + | only internally accessible by Resource Server | ||
Revision as of 08:10, 15 February 2019
https://knpuniversity.com/screencast/oauth/intro#play
Contents
OAuth Actors
OAuth Provider
Based on 3 components
Authentication Provider
Username and Password
Consent Server
Which parts of system a client can access
Token Management Infrastructure
it keeps data like : Access token, refresh token, when it was created and when it's invalid, when it's revoked
Resource Provider
Makes a protected resource available via HTTP Protocol
ie : Twitter
Resource Server
- Holds Resources
- Protects resources
- Makes resources available via API
Resource Owner
Owner of the protected resource.
- Owns resources
- Delegates right to access the resource to a third party app
ie : @aliiybar
Client
An application trying to access a protedted resource.
- Wants to access resources
- Gets and holds Access Token and Refresh Token
- Should NOT hold password of Resource Owner
- Identified via ClientID and Client Secret
ie : Mobile app
OAuth Server - Endpoints
/authorize GET
- Authorization Code (for Authorization Code Grant)
- Access Token (for Implicit Grant)
/token POST
Authorization : Basic clientId:clientSecret
Access Token and Refresh Token (for Authorization Code Grant, Client Credentials Grant and Resource Owner Password Credentials Grant)
/verify - not standardized
only internally accessible by Resource Server
