Actors
OAuth Provider:
Known as OAuthe server or authorization server, consists of:
- an authentication component: login page and identity provider
- a component for requesting the authenticated user's consent for delegation of access rights to the client.
- a token-management infrastructure: such as database...
Resource Provider
The resource provider makes a protected resource available. The resource may be data or service and is often offered in the form of a web API, which in turn offers the protected data.
Resource Owner
The resource owner is the owner of the protected resource. The resource owner delegates his access rights to the third party (the Client). Through this delegation the resource owner allow third party to access his data.
Client
The client is an application that attempts to access protected resource in behave of resource owner.
Endpoints:
An OAuth endpoint is a Restful service with a defined behavior and address
Authorization Endpoint
Is a service offered by the OAuth Provider. It authenticates the resource owner using any typical authentication method, such as username and password. After authentication, the resource owner is explicitly asked to confirm the delegation of his access rights for the protected resources. The authentication endpoint sends a confirmation of the authentication and of the access delegation to the redirect endpoint. This confirmation is call an authentication code.
Token Endpoint
Is a service offered by the OAuth Provider, it produces OAuth tokens, namely access tokens and refresh tokens and return them in form of a JSON object to the requester.
Clients have to register with the OAuth provider in order to receive a ClientID and a ClientSecret. The client registration is not part of the token endpoint.
Redirect Endpoint
Is a service offered by the client. The response produced by the authentication endpoint is sent to redirect endpoint. The redirect endpoint is not called directly, but indirectly by a HTTP-redirect command.
When Client received authentication code, it will make a request to the Token Endpoint to get OAuth tokens.
OAuth Tokens
Access token
Access tokens are used by client to access resources. OAuth Access tokens are bearer tokens. The holder of the tokens has the access rights associated with the tokens. The identity of the holder of the token is not checked any further.
Refresh token
The refresh token has a period of validity that is longer than access token. It can be used to request a new access token after access token has expired.
Authorization code
Authorization code is created after the resource owner successfully authorization and delegation his rights. The validity of the authorization code is usually limited to a couple of minutes. This is just enough time for client use authorization code to request an access token from the token endpoint.
Token attributes
OAuth Flows
Authorization Code Flow
First-time flow contains the following steps
- Get authorization code: The client request an authorization code from authorization endpoint.
- Get token: The client using authorization code to request the tokens from the token endpoint.
- Access protected resource: The client using access token to access resource from the resource provider.
Second-time when client access resource but
access token expired then
refresh token is used to
get new access token from
token endpoint.
Implicit Flow
The implicit flow contains flowing steps:
- Get token: the client requests the tokens from authorization endpoint.
- Access protected resource: similar above.
Resource Owner Password Credentials Flow
The resource owner password credentials flow contains following steps:
- Get token: The client requests the tokens from token endpoint.
- Access protected resource
Client Credentials Flow
The client credentials flows contains following steps
- Get token: The clients requests the tokens from token endpoint
- Access protected resource
