Oauth - Flow (Abstract Protocol Flow)

> Software Security > (Authentication|Access control|Identification) - AuthN > Oauth 2.0 - Authorization framework

1 - About

The abstract OAuth 2.0 flow describes the interaction between the four roles.


3 - Type

4 - Prerequisites

Before initiating the protocol (flow), the client must register with the authorization server

5 - Steps

5.1 - Direct

Flow when the client requests authorization from the resource owner directly.




5.2 - Indirect

A indirect flow is preferable and asks authorization to the authorization endpoint (ie authorization server) as an intermediary (between the client and the resource owner).

An indirect flow is a redirection based flow.


6 - Redirection-based

A redirection-based flow means that in the flow, the client (app) and/or the authorization server endpoints send feedback and directs the resource owner's user-agent (the end-user browser) to another destination via http redirection

Any other method available via the user-agent than the HTTP 302 status code to accomplish this redirection is allowed and is considered to be an implementation detail.

The client must then be capable of:

All Redirection-based flow are indirect.

7 - Documentation / Reference

security/auth/oauth/flow.txt · Last modified: 2019/04/30 20:46 by gerardnico