OAUTH2.0 SIMPLIFIED

  • OAuth 2.0 is a framework and not a  protocol
  • OAuth 2.0 works only against HTTP Protocol
  • It is a Authorization service and not Authentication Service
  • It is not compatible with OAuth 1.0

Consists of 4 components or roles

  1. Client   – Example : ShutterFly.com
    1. Public Client – Incapable of storing credentials securely and perform secure client authentication to authorization server
    2. Confidential Client – Capable of storing the  credentials securely and perform secure client authentication to authz server.
  2. Resource Owner – Example: JohnDoe
  3. Authorization Server – Example : Google.com
  4. Resource Server – Example : Picasaweb

Note: Both authz server and resource server can be same


OAuth – Flow

  • Resource Owner (JohnDoe) wants to print photos online
  • He goes to Shutterfly.com for printing online
  • Shutterfly.com asks User to either login or signup using
    • Google
    • Facebook
    • LinkedIn etc
  • User choose Google .
  • The user is now redirected to the Google Login page
  • The user now provides the credentials which is validated by the Google Authz server
  • On successful validation user is presented with a consent page asking User if it is OK  for Shutterfly to access his data on behalf of him
  • Google issues authz code to Shutterfly
  • Shutterfly now authenticates itself with Google and gets theAccess Token
  • The AccessToken has only 30 min validity time and access to only a specific album choosen by the user during accepting the consent page.
  • Shutterfly then uses this AccessToken to access  the PicasaWeb
  • Picasaweb validates  the AccessToken and grants access only to the specific album
  • Shutterfly then prints the photos
  • Note: User did not provide Picasaweb/Google credential to Shutterfly

Token Types

  1. AccessToken
    1. Used to access protected resources of the user
    2. Contains scope and durations/expiration
    3. scope enforced by resource server and authz server
    4. Bearer token
  2. RefreshToken
    1. Issued by authz server to obtaine new access token if it expires
    2. Optional token issued only if the authz server supports

Support 4 flow types

  1. Authorization code grant flow
  2. Implicit Grant Flow
  3. Resource Owner Password Credentials Flow
  4. Client credential Grant flow
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Cheat Sheet To JAVA Latest Technology

%d bloggers like this: