Components

OAuth Actors

oauth_actors.png

Resource Owner

resource_owner.png

Client

client.png

OAuth Server

oauth_server.png

  1. Login - it could be:
    1. A simple login page which accept username and password and verify them against the credential database
    2. Enterprise Single Sign-On (SSO) which verify credential against Active Directory
  2. Consent Server - which get the consent of resource owner to provide access to the client for the listed resources
  3. Token database - a technical database storing token values and attributes

Both login and consent happen in the Authorization Endpoint.

OAuth Endpoints

oauth_endpoints.png

  • Authorization EndpointGET /authorize
    • To get an authorization code which will be used to get a token (Authorization Code Grant)
    • To get Access Token directly (Implicit Grant)
  • Token Endpoint - POST /token
    • To create and get an Access Token or Refresh Token (for Authorization Code Grant, Client Credentials Grant, or Resource Owner Password Credentials Grant)
  • Verification Endpoint - /verify
    • Internally accessible by resource server to verify client's token
    • Not specified in the standard

Endpoint names are not standard and can be named differrently

Resource Server

resource_server.png

OAuth Endpoints

  • Authorization Endpoint - provided by OAuth server
  • Token Endpoint- provided by OAuth server
  • Redirect Endpoint - provided by client
  • Resource Endpoint - provided by resource server

Authorization Endpoint

authorization_endpoint.png

Token Endpoint

token_endpoint.png

  • grant_type could be Client Credential Authorization Code or Resource Owner Password Credentials
  • code will be required for Authorization Code grant type which is created by Authorization Endpoint
  • Implicit grant does not use the Token Endpoint

Redirect Endpoint

redirect_endpoint.png

Resource Endpoint

resource_endpoint.png

Token is like a subway ticket. Anyone who get the token can use it to access the resource. Client should secure the token.

Tokens

  • Access Token (AT) is used by the client to access the resource. Usually have expiry date e.g. 30 days
  • Refresh Token (RT) is used by the client to get a new Access Token. Never be sent to the resource servers.
  • Authorization Code (Code) is usually valid for a couple of minutes which is enough for the client to use to get Access token. Never be sent to the resource servers.

Credentials

  • Resource Owner Credential is used by only the resource owner and should never be given to anyone else
  • Client Credential is the client id and client secret registered at the OAuth server. This is used by the client to get Access Token from the OAuth server via the token endpoint.
  • Access Token is used by the client to get resource from the resource server.
  • Refresh Token is used by the client to get a new Access Token from the OAuth server
  • Authorization Code is used by the client to get an Access token

Client Registration

  • Before clients can access the resources, they must be first registered at the OAuth Provider.
  • Client must give Redirect URI and Required Scopes to the OAuth provider
  • Once successfully registered, the client get the ClientID and ClientSecret

No Comments

Back to top