3. 3
Pre Oauth time
If You want to send invitation to
everyone that is in your email
address book using third party
service, you need to share
credential
It could not work if there is two
factor authentication
If it works that third party
has access to all
additional services like
Wallet or Pictures
4. 4
Glossary of OAuth terms
●
* Resource owner (a.k.a. the User) - An entity capable of granting access to a protected resource.
When the resource owner is a person, it is referred to as an end-user.
●
* Resource server (a.k.a. the API server) - The server hosting the protected resources, capable of
accepting and responding to protected resource requests using access tokens.
●
* Client - An application making protected resource requests on behalf of the resource owner and
with its authorization. The term client does not imply any particular implementation characteristics
(e.g. whether the application executes on a server, a desktop, or other devices).
●
* Authorization server - The server issuing access tokens to the client after successfully
authenticating the resource owner and obtaining authorization.
5. 5
How it work with oauth?
User
Client
Protected
Resource
Oauth2
6. 6
Oauth Endpoint
Authorization Endpoint
The authorization endpoint is the endpoint on the authorization
server where the resource owner logs in, and grants
authorization to the client application.
Token Endpoint
The token endpoint is the endpoint on the authorization server
where the client application exchanges the authorization code,
client ID and client secret, for an access token.
7. 7
Type oauth
●
Authorization code grant
●
Implicit grant
●
Resource owner credentials grant
●
Client credentials grant
●
Refresh token grant
8. 8
Authorization code grant
Browser Client
Protected Resource
OAuth server
1.Get mail 2. Get Mail
3. Get mail
4. Not authorized
5. Redirect to Oauth
6.openoauthpage
7.Loginpage
9. Puts credentials
10putscrediantails
11.Redirecttoclient
12.Get main 15. Get mail
16. Return mail
17. Return mail
8 .Ask credentials
13.Getaccesstoken
14.Returnaccesstoken
18. Return mail
9. 9
Authorization Request
The authorization request is sent to the authorization endpoint to obtain an
authorization code. Here are the parameters used in the request:
●
response_type Required. Must be set to code
●
client_id Required. The client identifier as assigned by the authorization server,
when the client was registered.
●
redirect_uri Optional. The redirect URI registered by the client.
●
scopeOptional. The possible scope of the request.
●
state Optional (recommended). Any client state that needs to be passed on to the
client request URI.
10. 10
Token Request
client_id Required. The client application's id.
client_secret Required. The client application's client secret
.
grant_type Required. Must be set to authorization_code .
code Required. The authorization code received by the
authorization server.
redirect_uri Required, if the request URI was included in the
authorization request. Must be identical then.
12. 12
Implicit grant
Browser Client
Protected Resource
OAuth server
1.Get mail 2. Get Mail
3. Get mail
4. Not authorized
5. Redirect to Oauth
6.openoauthpage
7.Loginpage
9. Puts credentials
10putscrediantails
11.Redirecttoclient
12.Get main 13. Get mail
14. Return mail
15. Return mail
8 .Ask credentials
16. Return mail
14. 14
Resource owner credentials grant
Browser Client
Protected Resource
OAuth server
1.Get mail 2. Get Mail
3. Get mail
4. Not authorized
5. Redirect to Login page
10Returntoken
7. Puts credentials
9Gettoken
8.Pass credentials 11. Get mail
12. Return mail
13. Return mail
6 .Ask credentials
14. Return mail
16. 16
Client credentials grant
Browser Client
Protected Resource
OAuth server
1.Get mail 2. Get Mail
6. Get mail
5Returntoken
4Gettoken
7. Return mail
9. Return mail
10. Return mail