Oauth
From Logic Wiki
https://knpuniversity.com/screencast/oauth/intro#play
Contents
OAuth Actors
OAuth Provider
Based on 3 components
Authentication Provider
Username and Password
Consent Server
Which parts of system a client can access
Token Management Infrastructure
it keeps data like : Access token, refresh token, when it was created and when it's invalid, when it's revoked
Resource Provider
Makes a protected resource available via HTTP Protocol
ie : Twitter
Resource Server
- Holds Resources
- Protects resources
- Makes resources available via API
Resource Owner
Owner of the protected resource.
- Owns resources
- Delegates right to access the resource to a third party app
ie : @aliiybar
Client
An application trying to access a protedted resource.
- Wants to access resources
- Gets and holds Access Token and Refresh Token
- Should NOT hold password of Resource Owner
- Identified via ClientID and Client Secret
ie : Mobile app
OAuth Server - Endpoints
/authorize GET
Input Query Parameters
- state
- scope
- response_type
- client_id
- redirect_uri
Output
according to response_type the output is one of the items below
- Authorization Code (for Authorization Code Grant)
- Access Token (for Implicit Grant)
/token POST
Authorization : Basic clientId:clientSecret
Input Query Parameters
- grant_type
- code
- client_id
- redirect_uri
Output
- Access Token and Refresh Token (for)
- Authorization Code Grant,
- Client Credentials Grant and
- Resource Owner Password Credentials Grant
/verify - not standardized
only internally accessible by Resource Server
