Post

Understanding OAuth2

Understanding OAuth2

This post was migrated from Tistory. You can find the original here.

OAuth (Open Authorization) is a protocol for delegating access.

From my server’s perspective, it’s about delegating access to my server through a Third-Party Application.

From the Third-Party Application’s perspective, it’s about being granted access, on behalf of the resource owner, to resources provided by the resource server.

Roles Involved

  • Resource Owner: the user
  • Client: my Application (in my Application, this refers to both the server and the client)
  • Authorization Server: the server that performs authentication/authorization. The user sends their ID and password to the Authorization Server so the Client can be issued an authorization code, and the Client can then request the Authorization Server with that authorization code to obtain an Access Token.
  • Resource Server: the server that hosts the user’s protected resources. The Client sends the token to this server and receives the user’s resources in return.

Four Protocols Based on Grant Type

1. Authorization Code Grant

This is the basic approach. When you request with ?response_type=code, the Authorization Server shows the user its login page. Once the user logs in successfully, the Authorization Server returns an authorization code to the Client. The Client then uses that authorization code to request a token from the Authorization Server, and obtains the Third-Party Application user’s resources.

2. Implicit Grant

Similar to #1, but you request with ?response_type=token instead, and rather than receiving an authorization code, you get the token directly in the response. This is risky because the Access Token is passed through the URL.

3. Resource Owner Password Credentials Grant

This skips the step in #1 where the Authorization Server shows a login popup. You request the token directly with ?grant_type=password, along with the username and password.

4. Client Credentials Grant

You request with ?grant_type=client_credentials and no other information. You can think of this as the Authorization Server having already opened up access for a specific Client, based on pre-configured permissions or network settings.

Reference

https://blog.naver.com/mds_datasecurity/222182943542

This post is licensed under CC BY-NC 4.0 by the author.