(3) OAuth 2.0 Protocol Endpoints
•Download as PPTX, PDF•
0 likes•235 views
This is the thrd part of the summary of the OAuth 2.0 protocol based on RFC6749.
Recommended
More Related Content
Viewers also liked
Similar to (3) OAuth 2.0 Protocol Endpoints
Similar to (3) OAuth 2.0 Protocol Endpoints (20)
Recently uploaded
Recently uploaded (20)
(3) OAuth 2.0 Protocol Endpoints
- 2. Protocol Endpoints AUTHENTICATION SERVER ENDPOINTS Authorization Endpoint Used by the client to obtain authorization from the user via user-agent Token Endpoint Used by the client to exchange and authorization grant for an access token (with client authentication) CLIENT ENDPOINTS Redirection Endpoint Used by the authorization server to return responses with authorization credentials to the client via the user-agent
- 3. Authorization Endpoint Used to interact with the user to obtain authorization grant. User is authenticated (usually username/password) The location of the authorization endpoint is left up to implementation. URI may contain query components but cannot contain fragment components.
- 4. Authorization Endpoint RESPONSE TYPE The client informs the authorization server of the desired grant type: response_type = “code” (for requesting an authorization code) response_type = “token” (for requesting an access token)
- 5. Authorization Endpoint REDIRECTION ENDPOINT The user is redirected back to the redirect endpoint established during client registration or during authorization process. Redirection endpoint URI must be absolute, can contain query components, but cannot contain fragment components. Should require the use of TLS Every client should register their redirection endpoint prior to using authorization endpoint, otherwise attackers may use the authorization endpoints as open redirector. Clients can have multiple redirection points, but when they request authorization they must use “redirect_uri” request parameter. The authorization server must compare the redirect_uri value with the values obtained during client registration.
- 6. Authorization Endpoint REDIRECTION ENDPOINT (Continued) In case of URI error, user should not be redirected, but rather receive an error message. Redirection endpoint will result in an HTML document which should not include third-party scripts.
- 7. Token Endpoint Used by the client to obtain an access token using authorization code / refresh token. Cannot be used with implicit grant types. Token endpoint location is up to the implementation. The client must use POST method to request access tokens.
- 8. Token Endpoint CLIENT AUTHENTICATION Used for: Enforcing the binding of refresh tokens and authorization codes to the client. Recovering a client by changing the credentials / disabling the client. Thus there is no need for revoking the whole set of refresh tokens. Makes mandatory the rotation of client credentials. A client may use “client_id” request parameter to identify itself when sending requests to token endpoints. A client must use “client_id” when using “authorization_code” and “grant_type” requests to the token endpoint.
- 9. Access Token Scope Client request a certain scope with the “scope” request parameter, and the authorization server responses with the authorized scope by the “scope” request parameter as well. The authorization server may grant full requested scope or limit it according to policies. If the client doesn’t send a “scope” parameter, the server should use a default value. Its values are expressed as a list of space delimited, case-sensitive strings where order doesn’t matter. The strings are defined by the authorization server.