This article will briefly describe the OAuth concepts in a concise way. In addition to this page, we recommend reading the references at the bottom.
Grant Types
OAuth2 supports the following 4 grant types.
-
Authorization Code
-
Implicit
-
Resource Owner Password Credentials
-
Client Credentials
Authorization Code Grant Type
This grant type is primarily used for confidential clients. This grant type is used to obtain both access tokens and refresh tokens.
The flow is based on redirection. The client must support redirection from the server. So usually the client uses a browser.
Steps
-
Client uses a browser to access the authorization server and provides at the minimum the Client Identifier and Redirection URL.
-
The Authorization Server asks the user (who owns the protected resource) to authenticate and approve the access of the resource.
-
Authorization Server provides an authorization code to the client.
-
Client now uses the authorization code and a redirection uri to request an access token.
-
Authorization Server validates the authorization code and the redirection uri and uses the redirection uri to redirect the client, and provides access token (with optional Refresh Token).
Implicit Code Grant Type
This process is used when the application has a fixed redirection URI. The clients are typically browser based Javascript applications.
The flow is based on redirection. The client must support redirection from the server. So usually the client uses a browser.
There is no client authentication and no request for an authorization code.
Also refresh tokens are not provided in this grant.
Resource Owner Password Credentials Grant Type
This case is used where the client (such as, New York Times Mobile App) has a trust relationship with a resource owner (such as, Twitter). This grant type should be used only when authorization code grant type or implicit grant types cannot be used.
Steps
-
Client (such as News Mobile App) obtains the resource owner (such as Twitter User)'s credentials.
-
Client sends username and credentials to authorization Server (such as Twitter).
-
Authorization server validates credential and issues an access token to the client.
-
Client takes the access token and discards the resource owner's credentials. (IMPORTANT)
-
Client can access resource (make posts on twitter, read twitter posts etc) using the access token.
Client Credentials Grant Type
This case is when the client uses its credentials with the OAuth Authorization Server to obtain an access token. This grant type MUST be used with by confidential clients.
Exchanges
-
OAuth Client registers an OAuth application with the OAuth server. The input is usually the app name, app url and an app description. As noted below, the registration can also be done offline using the server web application.
-
OAuth Client needs access to a protected resource. To do this, it needs to an access token which is time sensitive.
-
Since the Access Token has an expiry, OAuth Client can request an intermediate AuthorizationCode that allows users to authorize their resources one time to the OAuth application. Once the OAuth application has an authorization code, it can then request an access token and/or refresh token from the server. Refresh tokens are used to renew expired access tokens.
-
Access Tokens are attached to one or more scopes. So scope can be a parameter during access token request. Remember the server may ignore one or more scopes when generating access tokens.
Possible changes to the exchange
The following changes to what is shown in the diagram may happen in an OAuth exchange:
-
The OAuth Application Registration may be performed in an OAuth Provider web application to yield a client id and secret. There is no explicit requirement for OAuth Client to do the registration.
-
The Authorization Server and Token Server can be one. There is no major need to separate them out.
The Exchanges happening between an OAuth Client and Server is represented by the following diagram.
References
-
IETF Web Authorization Working Group (http://datatracker.ietf.org/wg/oauth/charter/)
-
IETF OAuth2 (http://datatracker.ietf.org/doc/rfc6749/)
-
Google OAuth Document (https://developers.google.com/accounts/docs/OAuth2)
-
Microsoft Windows Live OAuth2 Document (http://msdn.microsoft.com/en-us/library/live/hh243647.aspx)