SlideShare a Scribd company logo

(4) OAuth 2.0 Obtaining Authorization

Download as PPTX, PDF
anikristo
anikristo

This is the fourth part of the summary of the OAuth 2.0 protocol based on RFC6749.

Engineering
1 of 33
OAuth 2.0 OBTAINING AUTHORIZATION
Grant Types 1. Authorization Code Grant 2. Implicit Grant 3. Resource Owner Password Credentials Grant 4. Client Credentials Grant
Authorization Code Grant  Used to obtain both Access Tokens and Refresh Tokens  Optimized for confidential clients  Redirection-based flow
Authorization Code Grant
Authorization Code Grant FLOW A. Resource owner’s user agent is directed to the authorization endpoint. The client includes:  Client Identifier  Requested Scope  Local State  Redirection URI B. Authorization server authenticates the user via the user-agent. Grants or rejects the authorization. C. User-agent is redirected back to the “Redirection URI” with an Authorization Code. D. The client requests and access token form the authorization servers’ Token Endpoint by presenting the Authorization Code. The client is also authenticated to the server. The client sends the Redirection URI as a means of confirmation. E. The authentication server authenticates the client, validates the authorization code, compares the Redirection URI to the one in step C, and returns an Access Token and, optionally, a Refresh Token.
Authorization Code Grant AUTHORIZATION REQUEST  The client constructs the request URI by adding the following parameter to the query component of the authorization endpoint URI:  response_type (REQUIRED) should be set to “code”  client_id (REQURIED)  redirection_uri (OPTIONAL)  scope (OPTIONAL) the requested scope  state (RECOMMENDED) A value used by the client to distinguish the states between Request and Callback Example: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Authorization Code Grant AUTHORIZATION RESPONSE  If the Authorization Server grants the permission, it redirects the client by adding the following to the Redirection URI:  code (REQUIRED) the Authorization Code generated, which must expired shortly after it has been issued. (Maximum time: 10 minutes)  NOTE: This code must only be used once. In case the server detects more than one use, it must deny the request and revoke all the tokens issued previously.  state (REQUIRED) the exact value gotten from the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz
Authorization Code Grant AUTHORIZATION RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?error=access_denied&state=xyz
Authorization Code Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint with the following parameters:  grant_type (REQUIRED) must be set to “authorization_code”  code (REQUIRED) authorization code received from the authorization server  redirect_uri (REQUIRED) identical value to the one in authorization request  client_id (REQUIRED) if the client is not authenticating with the authorization server *NOTE: If the client type is confidential or the client was issued client credentials, the client must authenticate with the authorization server.
Authorization Code Grant ACCESS TOKEN REQUEST - Continued Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
Authorization Code Grant ACCESS TOKEN REQUEST - Continued  The authentication server must:  Require client authentication for confidential clients or clients that were issued client credentials  Authenticate the client if it is included  Ensure the authorization code is the one that belongs to the client  If the client is public, verify client_id  Verify that the authorization code is valid  Ensure that the redirect_uri parameter is present if redirect_uri was included in th initial authorization, and if included, ensure they are identical.
Authorization Code Grant ACCESS TOKEN RESPONSE Example of a token: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value“ }
Implicit Grant  Used to obtain Access Tokens (not Refresh Tokens)  Optimized for public clients, which operate at a particular Redirection URI  Clients are typically implemented on a browser using a scripting language such as JavaScript  Redirection-based flow  Client interacts with the user-agent and receives incoming requests via redirection by the server  As opposed to the Authorization Code grant type, this sends a one-time request to obtain an access token via authorization  Doesn’t include client authentication and relies on resource owner’s presence.  The access token is encoded into the redirection URI and exposed to every app residing on the user’s device
Implicit Grant
Implicit Grant FLOW A. User-agent is directed to the authorization endpoint. The client includes:  client_id  scope  local_state  redirection_uri B. Authorization server authenticates the resource owner and requests scope C. The user-agent is redirected to the Redirection URI. The URI contains the access token in the URI fragment D. The user-agent follows the redirection instructions by making requests to the web-hosted client resource E. The web-hosted client resources returns a web page (HTML + script) which accesses full redirection URI including the fragment F. The user-agent extracts the access token by using the scripts G. The user-agent passes the access token to the client
Implicit Grant AUTHORIZATION REQUEST  The client forms the Redirection URI by adding the following parameters:  response_type (REQUIRED) must be set to “token”  client_id (REQUIRED)  redirect_uri (OPTIONAL)  scope (OPTIONAL)  state (RECOMMENDED) Example: GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
Implicit Grant AUTHORIZATION REQUEST - Continued  The authorization server validates the parameters and authenticates the resource owner.  After making a decision to grant or reject the authorization, the user-agent is redirected to the Redirection URI
Implicit Grant ACCESS TOKEN RESPONSE  The Access Token response contains:  access_token (REQUIRED)  token_type (REQUIRED) Bearer, MAC, … [case insensitive]  expires_in (RECOMMENDED) lifetime in seconds  scope (OPTIONAL)  state (REQUIRED) NOTE: The authorization server must not issue a refresh token! Example: HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600
Implicit Grant ACCESS TOKEN RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb#error=access_denied&state=xyz
Resource Owner Password Credentials Grant  Suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.  Can only be used when the client is able to retrieve the resource owner’s credentials (using a form).  Also used to migrate existing clients to OAuth using direct authentication schemes such as HTTP Basic or Digest and converting the stored credentials to an access token.
Resource Owner Password Credentials Grant
ROPC Grant FLOW A. The Resource Owner provides the client with its username and password. B. The client requests an access token with the Resource Owner’s credentials form the authorization server’s token endpoint. The client authenticates with the authorization server as well. C. The authorization server authenticates the client and validates the credentials. If valid, it issues the access token.
ROPC Grant AUTHORIZATION REQUEST AND RESPONSE  The method of obtaining the resource owner credentials is left up to the implementation.  The client must discard the credentials as soon as the access token is obtained.
ROPC Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by the following parameters:  grant_type (REQUIRED) must be set to “password”  username (REQUIRED)  password (REQUIRED)  scope (OPTIONAL)  If the client type is confidential or the client was issued credentials, the client must authenticate with the authorization server (ref. “Client Authentication”). Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=password&username=johndoe&password=A3ddj3w
ROPC Grant ACCESS TOKEN REQUEST  The Authorization Server must: 1. require client authentication for confidential clients or for clients that was issued credentials 2. authenticate the client 3. validate the resource owner’s password credentials using the existing password validation algorithm  The server should protect the endpoint against attacks (e.g.: using rate- limitation, generating alerts…)
ROPC Grant ACCESS TOKEN RESPONSE  If the authentication process is successful, the authorization server issues an access token and optionally a refresh token. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
Client Credentials Grant  The client makes a token request using only the client credentials when the resources are under its control.  Must only be used with confidential clients
Client Credentials Grant
Client Credentials Grant FLOW A. The client authenticates with the server and requests a token from the token endpoint. B. The server authenticates the client and, if valid, issues an access token.
Client Credentials Grant AUTHENTICATION REQUEST AND RESPONSE  Since the client authentication is used as the authorization grant, no additional authorization request is needed.
Client Credentials Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by using the following parameters:  grant_type (REQUIRED) must be set to “client_credentials”  scope (OPTIONAL)  The client must authenticate with the authorization server. (ref. “Client Authentication”) Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials
Client Credentials Grant ACCESS TOKEN RESPONSE  If the authentication is successful, the access token is issued. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "example_parameter":"example_value" }
Extension Grants  The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the authorization server) as the value of the “grant_type” parameter of the token endpoint, and by adding additional parameters optionally. Example: (using SAML – Security Assertion Markup Language) POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU [...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24-

Recommended

The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 

Recommended

The OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkThe OAuth 2.0 Authorization Framework
The OAuth 2.0 Authorization FrameworkSamuele Cozzi
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-idParisa Moosavinezhad
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0Oracle Corporation
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HousePrabath Siriwardena
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization frameworkJohn Temoty Roca
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primerManish Pandit
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 
Citations & google my business for audiology marketing
Citations & google my business for audiology marketingCitations & google my business for audiology marketing
Citations & google my business for audiology marketingGeoffrey Cooling
 
Catalogo Dulces y Chocolates La Perla
Catalogo Dulces y Chocolates La Perla Catalogo Dulces y Chocolates La Perla
Catalogo Dulces y Chocolates La Perla Gerardo Garcia Vasconcelos
 

More Related Content

What's hot

An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Nilanjan Roy
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504Mattias Jidhage
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID ConnectMarcin Wolnik
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemPrabath Siriwardena
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization frameworkJohn Temoty Roca
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellWSO2
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access ControlCA API Management
 

What's hot (20)

An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Introduction to OAuth2.0
Introduction to OAuth2.0Introduction to OAuth2.0
Introduction to OAuth2.0
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
 
OAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care HouseOAuth 2.0 with Pet Care House
OAuth 2.0 with Pet Care House
 
RFC6749 et alia 20130504
RFC6749 et alia 20130504RFC6749 et alia 20130504
RFC6749 et alia 20130504
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
OAuth2 & OpenID Connect
OAuth2 & OpenID ConnectOAuth2 & OpenID Connect
OAuth2 & OpenID Connect
 
Best Practices in Building an API Security Ecosystem
Best Practices in Building an API Security EcosystemBest Practices in Building an API Security Ecosystem
Best Practices in Building an API Security Ecosystem
 
O auth 2.0 authorization framework
O auth 2.0 authorization frameworkO auth 2.0 authorization framework
O auth 2.0 authorization framework
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
O Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from HellO Auth 2.0 The Path to Heaven from Hell
O Auth 2.0 The Path to Heaven from Hell
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
OAuth2 primer
OAuth2 primerOAuth2 primer
OAuth2 primer
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...
 
A Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and PerformanceA Survey on SSO Authentication protocols: Security and Performance
A Survey on SSO Authentication protocols: Security and Performance
 
Making Sense of API Access Control
Making Sense of API Access ControlMaking Sense of API Access Control
Making Sense of API Access Control
 

Viewers also liked

Citations & google my business for audiology marketing
Citations & google my business for audiology marketingCitations & google my business for audiology marketing
Citations & google my business for audiology marketingGeoffrey Cooling
 
More about wordpress 4.3
More about wordpress 4.3More about wordpress 4.3
More about wordpress 4.3NeilWilson2015
 
Music video research assessment
Music video research assessmentMusic video research assessment
Music video research assessmenttwbsmediaconnell
 
Feria sanmiguel
Feria sanmiguelFeria sanmiguel
Feria sanmigueljbg11
 
(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Tokenanikristo
 
Vskills certified organizational behavior professional
Vskills certified organizational behavior professionalVskills certified organizational behavior professional
Vskills certified organizational behavior professionalVskills
 
音録(オドロク)プレゼン資料
音録(オドロク)プレゼン資料音録(オドロク)プレゼン資料
音録(オドロク)プレゼン資料Yco Tange
 
Vskills certified html designer Notes
Vskills certified html designer NotesVskills certified html designer Notes
Vskills certified html designer NotesVskills
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityCA API Management
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsAlvaro Sanchez-Mariscal
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectManish Pandit
 
From Zero to Hero with REST and OAuth2 #jjug
From Zero to Hero with REST and OAuth2 #jjugFrom Zero to Hero with REST and OAuth2 #jjug
From Zero to Hero with REST and OAuth2 #jjugToshiaki Maki
 
Poblamiento Urbano
Poblamiento UrbanoPoblamiento Urbano
Poblamiento Urbanoestribor1983
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 

Viewers also liked (18)

Citations & google my business for audiology marketing
Citations & google my business for audiology marketingCitations & google my business for audiology marketing
Citations & google my business for audiology marketing
 
Catalogo Dulces y Chocolates La Perla
Catalogo Dulces y Chocolates La Perla Catalogo Dulces y Chocolates La Perla
Catalogo Dulces y Chocolates La Perla
 
report_komal
report_komalreport_komal
report_komal
 
More about wordpress 4.3
More about wordpress 4.3More about wordpress 4.3
More about wordpress 4.3
 
Music video research assessment
Music video research assessmentMusic video research assessment
Music video research assessment
 
Feria sanmiguel
Feria sanmiguelFeria sanmiguel
Feria sanmiguel
 
(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token(6) OAuth 2.0 Refreshing an Access Token
(6) OAuth 2.0 Refreshing an Access Token
 
Vskills certified organizational behavior professional
Vskills certified organizational behavior professionalVskills certified organizational behavior professional
Vskills certified organizational behavior professional
 
音録(オドロク)プレゼン資料
音録(オドロク)プレゼン資料音録(オドロク)プレゼン資料
音録(オドロク)プレゼン資料
 
Vskills certified html designer Notes
Vskills certified html designer NotesVskills certified html designer Notes
Vskills certified html designer Notes
 
Macro Demo Letter
Macro Demo LetterMacro Demo Letter
Macro Demo Letter
 
A How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API SecurityA How-to Guide to OAuth & API Security
A How-to Guide to OAuth & API Security
 
Studiovox
StudiovoxStudiovox
Studiovox
 
Stateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applicationsStateless token-based authentication for pure front-end applications
Stateless token-based authentication for pure front-end applications
 
Securing your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID ConnectSecuring your APIs with OAuth, OpenID, and OpenID Connect
Securing your APIs with OAuth, OpenID, and OpenID Connect
 
From Zero to Hero with REST and OAuth2 #jjug
From Zero to Hero with REST and OAuth2 #jjugFrom Zero to Hero with REST and OAuth2 #jjug
From Zero to Hero with REST and OAuth2 #jjug
 
Poblamiento Urbano
Poblamiento UrbanoPoblamiento Urbano
Poblamiento Urbano
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 

Similar to (4) OAuth 2.0 Obtaining Authorization

What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpointsanikristo
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Mads Toustrup-Lønne
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsSalesforce Developers
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsStefan Weber
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsSibtay Abbas
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowManish Pandit
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19aminmesbahi
 
Understanding and testing restful web services
Understanding and testing restful web servicesUnderstanding and testing restful web services
Understanding and testing restful web servicesmwinteringham
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]noddycha
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 

Similar to (4) OAuth 2.0 Obtaining Authorization (19)

What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints(3) OAuth 2.0 Protocol Endpoints
(3) OAuth 2.0 Protocol Endpoints
 
Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0Protecting your APIs with Doorkeeper and OAuth 2.0
Protecting your APIs with Doorkeeper and OAuth 2.0
 
Deep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected AppsDeep Dive into OAuth for Connected Apps
Deep Dive into OAuth for Connected Apps
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Microsoft Graph API Delegated Permissions
Microsoft Graph API Delegated PermissionsMicrosoft Graph API Delegated Permissions
Microsoft Graph API Delegated Permissions
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
Amazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 GrantsAmazon Cognito OAuth 2.0 Grants
Amazon Cognito OAuth 2.0 Grants
 
O auth2.0 guide
O auth2.0 guideO auth2.0 guide
O auth2.0 guide
 
Silicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and HowSilicon Valley Code Camp 2009: OAuth: What, Why and How
Silicon Valley Code Camp 2009: OAuth: What, Why and How
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
.NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19 .NET Core, ASP.NET Core Course, Session 19
.NET Core, ASP.NET Core Course, Session 19
 
Understanding and testing restful web services
Understanding and testing restful web servicesUnderstanding and testing restful web services
Understanding and testing restful web services
 
OAuth [noddyCha]
OAuth [noddyCha]OAuth [noddyCha]
OAuth [noddyCha]
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 

Recently uploaded

SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoão Esperancinha
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxwendy cai
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...RajaP95
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024Mark Billinghurst
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 

Recently uploaded (20)

SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
What are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptxWhat are the advantages and disadvantages of membrane structures.pptx
What are the advantages and disadvantages of membrane structures.pptx
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
IMPLICATIONS OF THE ABOVE HOLISTIC UNDERSTANDING OF HARMONY ON PROFESSIONAL E...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024IVE Industry Focused Event - Defence Sector 2024
IVE Industry Focused Event - Defence Sector 2024
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 

(4) OAuth 2.0 Obtaining Authorization

  • 2. Grant Types 1. Authorization Code Grant 2. Implicit Grant 3. Resource Owner Password Credentials Grant 4. Client Credentials Grant
  • 3. Authorization Code Grant  Used to obtain both Access Tokens and Refresh Tokens  Optimized for confidential clients  Redirection-based flow
  • 5. Authorization Code Grant FLOW A. Resource owner’s user agent is directed to the authorization endpoint. The client includes:  Client Identifier  Requested Scope  Local State  Redirection URI B. Authorization server authenticates the user via the user-agent. Grants or rejects the authorization. C. User-agent is redirected back to the “Redirection URI” with an Authorization Code. D. The client requests and access token form the authorization servers’ Token Endpoint by presenting the Authorization Code. The client is also authenticated to the server. The client sends the Redirection URI as a means of confirmation. E. The authentication server authenticates the client, validates the authorization code, compares the Redirection URI to the one in step C, and returns an Access Token and, optionally, a Refresh Token.
  • 6. Authorization Code Grant AUTHORIZATION REQUEST  The client constructs the request URI by adding the following parameter to the query component of the authorization endpoint URI:  response_type (REQUIRED) should be set to “code”  client_id (REQURIED)  redirection_uri (OPTIONAL)  scope (OPTIONAL) the requested scope  state (RECOMMENDED) A value used by the client to distinguish the states between Request and Callback Example: GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 7. Authorization Code Grant AUTHORIZATION RESPONSE  If the Authorization Server grants the permission, it redirects the client by adding the following to the Redirection URI:  code (REQUIRED) the Authorization Code generated, which must expired shortly after it has been issued. (Maximum time: 10 minutes)  NOTE: This code must only be used once. In case the server detects more than one use, it must deny the request and revoke all the tokens issued previously.  state (REQUIRED) the exact value gotten from the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA &state=xyz
  • 8. Authorization Code Grant AUTHORIZATION RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb?error=access_denied&state=xyz
  • 9. Authorization Code Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint with the following parameters:  grant_type (REQUIRED) must be set to “authorization_code”  code (REQUIRED) authorization code received from the authorization server  redirect_uri (REQUIRED) identical value to the one in authorization request  client_id (REQUIRED) if the client is not authenticating with the authorization server *NOTE: If the client type is confidential or the client was issued client credentials, the client must authenticate with the authorization server.
  • 10. Authorization Code Grant ACCESS TOKEN REQUEST - Continued Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
  • 11. Authorization Code Grant ACCESS TOKEN REQUEST - Continued  The authentication server must:  Require client authentication for confidential clients or clients that were issued client credentials  Authenticate the client if it is included  Ensure the authorization code is the one that belongs to the client  If the client is public, verify client_id  Verify that the authorization code is valid  Ensure that the redirect_uri parameter is present if redirect_uri was included in th initial authorization, and if included, ensure they are identical.
  • 12. Authorization Code Grant ACCESS TOKEN RESPONSE Example of a token: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value“ }
  • 13. Implicit Grant  Used to obtain Access Tokens (not Refresh Tokens)  Optimized for public clients, which operate at a particular Redirection URI  Clients are typically implemented on a browser using a scripting language such as JavaScript  Redirection-based flow  Client interacts with the user-agent and receives incoming requests via redirection by the server  As opposed to the Authorization Code grant type, this sends a one-time request to obtain an access token via authorization  Doesn’t include client authentication and relies on resource owner’s presence.  The access token is encoded into the redirection URI and exposed to every app residing on the user’s device
  • 15. Implicit Grant FLOW A. User-agent is directed to the authorization endpoint. The client includes:  client_id  scope  local_state  redirection_uri B. Authorization server authenticates the resource owner and requests scope C. The user-agent is redirected to the Redirection URI. The URI contains the access token in the URI fragment D. The user-agent follows the redirection instructions by making requests to the web-hosted client resource E. The web-hosted client resources returns a web page (HTML + script) which accesses full redirection URI including the fragment F. The user-agent extracts the access token by using the scripts G. The user-agent passes the access token to the client
  • 16. Implicit Grant AUTHORIZATION REQUEST  The client forms the Redirection URI by adding the following parameters:  response_type (REQUIRED) must be set to “token”  client_id (REQUIRED)  redirect_uri (OPTIONAL)  scope (OPTIONAL)  state (RECOMMENDED) Example: GET /authorize?response_type=token&client_id=s6BhdRkqt3&state=xyz &redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb HTTP/1.1 Host: server.example.com
  • 17. Implicit Grant AUTHORIZATION REQUEST - Continued  The authorization server validates the parameters and authenticates the resource owner.  After making a decision to grant or reject the authorization, the user-agent is redirected to the Redirection URI
  • 18. Implicit Grant ACCESS TOKEN RESPONSE  The Access Token response contains:  access_token (REQUIRED)  token_type (REQUIRED) Bearer, MAC, … [case insensitive]  expires_in (RECOMMENDED) lifetime in seconds  scope (OPTIONAL)  state (REQUIRED) NOTE: The authorization server must not issue a refresh token! Example: HTTP/1.1 302 Found Location: http://example.com/cb#access_token=2YotnFZFEjr1zCsicMWpAA &state=xyz&token_type=example&expires_in=3600
  • 19. Implicit Grant ACCESS TOKEN RESPONSE – Error Response  In case of error, the resource owner is informed and it is NOT redirected automatically.  The error URI contains:  error (REQUIRED) ASCII, should be one of the following: invalid_request, unauthorized_client, access_denied, access_denied, unsupported_response_type, invalid_scope, server_error, temporarily_unavailable  error_description (OPTIONAL) human-readable, ASCII  error_uri (OPTIONAL) human-readable web page  state (REQUIRED) same value as in the client request Example: HTTP/1.1 302 Found Location: https://client.example.com/cb#error=access_denied&state=xyz
  • 20. Resource Owner Password Credentials Grant  Suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.  Can only be used when the client is able to retrieve the resource owner’s credentials (using a form).  Also used to migrate existing clients to OAuth using direct authentication schemes such as HTTP Basic or Digest and converting the stored credentials to an access token.
  • 21. Resource Owner Password Credentials Grant
  • 22. ROPC Grant FLOW A. The Resource Owner provides the client with its username and password. B. The client requests an access token with the Resource Owner’s credentials form the authorization server’s token endpoint. The client authenticates with the authorization server as well. C. The authorization server authenticates the client and validates the credentials. If valid, it issues the access token.
  • 23. ROPC Grant AUTHORIZATION REQUEST AND RESPONSE  The method of obtaining the resource owner credentials is left up to the implementation.  The client must discard the credentials as soon as the access token is obtained.
  • 24. ROPC Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by the following parameters:  grant_type (REQUIRED) must be set to “password”  username (REQUIRED)  password (REQUIRED)  scope (OPTIONAL)  If the client type is confidential or the client was issued credentials, the client must authenticate with the authorization server (ref. “Client Authentication”). Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=password&username=johndoe&password=A3ddj3w
  • 25. ROPC Grant ACCESS TOKEN REQUEST  The Authorization Server must: 1. require client authentication for confidential clients or for clients that was issued credentials 2. authenticate the client 3. validate the resource owner’s password credentials using the existing password validation algorithm  The server should protect the endpoint against attacks (e.g.: using rate- limitation, generating alerts…)
  • 26. ROPC Grant ACCESS TOKEN RESPONSE  If the authentication process is successful, the authorization server issues an access token and optionally a refresh token. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA", "example_parameter":"example_value" }
  • 27. Client Credentials Grant  The client makes a token request using only the client credentials when the resources are under its control.  Must only be used with confidential clients
  • 29. Client Credentials Grant FLOW A. The client authenticates with the server and requests a token from the token endpoint. B. The server authenticates the client and, if valid, issues an access token.
  • 30. Client Credentials Grant AUTHENTICATION REQUEST AND RESPONSE  Since the client authentication is used as the authorization grant, no additional authorization request is needed.
  • 31. Client Credentials Grant ACCESS TOKEN REQUEST  The client makes a request to the token endpoint by using the following parameters:  grant_type (REQUIRED) must be set to “client_credentials”  scope (OPTIONAL)  The client must authenticate with the authorization server. (ref. “Client Authentication”) Example: POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=client_credentials
  • 32. Client Credentials Grant ACCESS TOKEN RESPONSE  If the authentication is successful, the access token is issued. Example: HTTP/1.1 200 OK Content-Type: application/json;charset=UTF-8 Cache-Control: no-store Pragma: no-cache { "access_token":"2YotnFZFEjr1zCsicMWpAA", "token_type":"example", "expires_in":3600, "example_parameter":"example_value" }
  • 33. Extension Grants  The client uses an extension grant type by specifying the grant type using an absolute URI (defined by the authorization server) as the value of the “grant_type” parameter of the token endpoint, and by adding additional parameters optionally. Example: (using SAML – Security Assertion Markup Language) POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Asaml2- bearer&assertion=PEFzc2VydGlvbiBJc3N1ZUluc3RhbnQ9IjIwMTEtMDU [...]aG5TdGF0ZW1lbnQ-PC9Bc3NlcnRpb24-