This document discusses OAuth and how it allows third-party applications to access a user's resources like contacts or photos from services like Google or Facebook without sharing the user's passwords. It describes registering clients, the authorization code flow, and demonstrates OAuth with Google and Facebook using .NET. Key points are that OAuth is not about authentication but permission, and allows resources to be shared securely without giving passwords to third parties.
12. OAuth allows you to give a third-party application the
permission to use some of your resources on a resource
server without giving the third party your user name
and password on the resource server.
“
”
20. Authorization Code Flow Under the Covers
You
Resource
Owner
Resource
Server
Client
Authorization
Server
2
1
4
5
3
Exchange auth code for access token
22. Authorization Code Flow Under the Covers
You
Resource
Owner
Client
2
1
GET
client_id
Who is making this request?
scope
What do they want to know about the user?
response_type (reserved: code)
What do they want from me just now?
redirect_uri
Where should I send them this stuff?
state (optional but recommended)
CSRF token
1 2and
23. ?
Authorization Code Flow Under the Covers
You
Resource
Owner
Client
2
1
RESPONSE (302)
code
Authorization code
error
Location: client_redirect_uri?code=ljfvknfANB3454
Location: client_redirect_uri?error=access_denied
Or
2
state (CSRF token)
If you’d sent it
24. ?
Authorization Code Flow Under the Covers
You
Resource
Owner
Client
2
1
GET
code
Authorization code
error
client_redirect_uri?code=ljfvknfANB3454
client_redirect_uri?error=access_denied
Or
3
3
25. Authorization Code Flow Under the Covers
Client
Authorization
Server4
Exchange auth code for access token
GET or POST
client_id
Who is making this request?
client_secret
What’s the password I gave you earlier? Prove your identity.
grant_type
What’s this flow? Oh, you’re a web server, so this must be the “authorization code” flow.
code
Okay, show us the authorization code?
state (optional but recommended)
CSRF token
4
26. Authorization Code Flow Under the Covers
Client
Authorization
Server4
Exchange auth code for access token
RESPONSE (query string or request body)
access_token
state (optional but recommended)
CSRF token
4
27. Authorization Code Flow Under the Covers
Resource
Server
Client
5
GET OR POST
Access_token
As querystring or request body or basic
authentication / bearer authentication
(HTTP authorization header)
5
28. Authorization Code Flow Under the Covers
You
Resource
Owner
Resource
Server
Client
Authorization
Server
2
1
4
5
3
Exchange auth code for access token
29. Roles
• You, the resource owner
• Client, the server side web app
• Resource server
• Authorization Server