Oauth 2.0 - Authorization framework

> Software Security > (Authentication|Access control|Identification) - AuthN > Oauth 2.0 - Authorization framework

1 - About

This section talks about OAuth 2.0. (OAuth 2.0 replaces OAuth 1.0)

The following two specifications provide a general framework for third-party applications (know as the client) to obtain and use limited access to HTTP resources (page, image,...):

In Oauth, for instance, an end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo-sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo-sharing service (authorization server), which issues the printing service delegation-specific credentials (ie access token).

It allows arbitrary clients (app) (first-party and third-party) to access user’s (resource owner’s) resources on resource servers via authorization servers.

2 - Role and flow

The OAuth spec defined 4 roles in the authorization process.

It separates the role of the client (the app) from that of the resource owner (the user).

In OAuth, the client (the app) requests access to protected resources controlled by the resource owner (the user) (and hosted by the resource server), and is issued a different set of credentials than those of the resource owner (the user).

Instead of using the resource owner's credentials to access this protected resources, the client obtains an access token (and optionally a refresh tokens)

OAuth 2.0 specification defines 4 types of grant and their respective authorization flows.


3 - Documentation / Reference

security/auth/oauth/start.txt · Last modified: 2019/05/11 17:40 by gerardnico