Summary
| position | ease | box | interval | due |
|---|---|---|---|---|
| front | 2.50 | 0 | 0.00 | 2021-10-19T16:08:14Z |
The OAuth (open authorization) protocol was developed by the Internet Engineering Task Force and enables secure delegated access. It lets an application access a resource that is controlled by someone else (end user).
This kind of access requires Tokens, which represent delegated right of access. That’s why applications get access without impersonating the user who controls the resource.
Vocabulary
Resource Owner(user)
The resource owner is the user who authorizes an application to access their account. The application’s access to the user’s account is limited to the scope of the authorization granted (e.g. read or write access)
Client(application)
The client is the application that wants to access the user’s account. Before it may do so, it must be authorized by the user, and the authorization must be validated by the API.
Resource Server(Application Server)
The resource server hosts the protected user accounts.
Authorization Server(wso2 IAM)
Authorization grant
Access token
Scope
Consent
Back channel(secure)
Communication between backend app and authorization server
Front channel(less secure)
Communication between frontend app(browser or mobile app) and authorization server
Basic Diagrams
The authorization server verifies the identity of the user then issues access tokens to the application.
Code Flow
Definition
The code flow is the most advanced flow in OAuth. It is also the most flexible, that allows both mobile and web clients to obtain tokens securely. It is split into two parts, the Authorization flow that runs in the browser where the client redirects to the OAuth server and the OAuth server redirects back when done, and the Token flow which is a back-channel call from the Client to the Token endpoint of the OAuth server. ref
The OAuth 2.0 authorization code flow is described in section 4.1 of the OAuth 2.0 specification. It’s used to perform authentication and authorization in the majority of app types, including single page apps, web apps, and natively installed apps. ref
Authorization code flow - more secure
Why redirect URI?
Redirect URLs are a critical part of the OAuth flow. After a user successfully authorizes an application, the authorization server will redirect the user back to the application with either an authorization code or access token in the URL. Because the redirect URL will contain sensitive information, it is critical that the service doesn’t redirect the user to arbitrary locations. ref
Implicit flow - frontend only, less secure
OAuth2.0 Vs OpenID
What flow(grant type) to use?
Web application
Native mobile app
SPA with API backend
SSO 3rd party
Token validation
