The document provides an overview of the OAuth 2.0 authorization framework, including definitions of key actors (resource owner, resource server, authorization server, client), grant types (authorization code, implicit, resource owner password credentials, client credentials), and protocol flows. It describes the authorization endpoint, token endpoint, common request/response parameters, and how to obtain and refresh access tokens.
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...SSIMeetup
https://ssimeetup.org/did-report-1-first-official-w3c-did-working-group-meeting-japan-drummond-reed-webinar-36/
The DID Report 1 about the First Meeting of the New W3C DID Working Group with Drummond Reed, co-author of the W3C DID specification, and Markus Sabadello from Danube Tech. Headline news in SSI land: this month W3C members approved forming a full W3C Working Group for Decentralized Identifiers (DIDs).
DID spec co-author Drummond Reed has been in Fukuoka Japan for the first official meeting of this new Working Group and he will share highlights of the meeting and the roadmap for taking DIDs to a full Web standard.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
The DID Report 1: The First Official W3C DID Working Group Meeting (Japan)- D...SSIMeetup
https://ssimeetup.org/did-report-1-first-official-w3c-did-working-group-meeting-japan-drummond-reed-webinar-36/
The DID Report 1 about the First Meeting of the New W3C DID Working Group with Drummond Reed, co-author of the W3C DID specification, and Markus Sabadello from Danube Tech. Headline news in SSI land: this month W3C members approved forming a full W3C Working Group for Decentralized Identifiers (DIDs).
DID spec co-author Drummond Reed has been in Fukuoka Japan for the first official meeting of this new Working Group and he will share highlights of the meeting and the roadmap for taking DIDs to a full Web standard.
OpenID for Verifiable Credentials is a family of protocols supporting implementation of applications with Verifiable Credentials, i.e. verifiable credential issuance, credential presentation, and pseudonyms authentication.
How to Build Interoperable Decentralized Identity Systems with OpenID for Ver...Torsten Lodderstedt
This deck gives an overview of OpenID 4 Verifiable Credentials and shows how the specs can be tailored to the needs of a certain category of projects/ecosystems.
OpenID Connect 4 SSI is an initiative conducted at OpenID Foundation in liaison with the Decentralized Identity Foundation. It aims at specifying a set of protocols based on OpenID Connect to enable SSI applications.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
Drummond Reed, Chief Trust Officer at Evernym, will explain in our second Webinar "Decentralized Identifiers (DIDs) - Building Block of Self-Sovereign Identity (SSI)" giving us the background on how DIDs work, where they come from and why they are important for Blockchain based Digital Identity.
What is a Verifiable Credential, and Why Does it Matter?
https://identiverse.com/idv2022/session/841421/
"A verifiable credential (VC) is an assertion with a secret weapon – called a verifiable presentation (VP). VCs and VPs are unique in that they enable users to directly hold and present claims about themselves, issued by many different authorities. This is an important addition to the domain-relative credentials that are presented today as part of federated sign-in or SSO contexts. You may ask – why is that direct presentation important? Kristina Yasuda will talk through how VCs and VPs work, what makes VCs different from common federated credentials, and what VCs could change about how we interact with data in the future."
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute)
- Presented at FIDO Technical Seminar on July 16th, 2018
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...SSIMeetup
Drummond Reed, Chief Trust Officer at Evernym, will explain in our second Webinar "Decentralized Identifiers (DIDs) - Building Block of Self-Sovereign Identity (SSI)" giving us the background on how DIDs work, where they come from and why they are important for Blockchain based Digital Identity.
What is a Verifiable Credential, and Why Does it Matter?
https://identiverse.com/idv2022/session/841421/
"A verifiable credential (VC) is an assertion with a secret weapon – called a verifiable presentation (VP). VCs and VPs are unique in that they enable users to directly hold and present claims about themselves, issued by many different authorities. This is an important addition to the domain-relative credentials that are presented today as part of federated sign-in or SSO contexts. You may ask – why is that direct presentation important? Kristina Yasuda will talk through how VCs and VPs work, what makes VCs different from common federated credentials, and what VCs could change about how we interact with data in the future."
This slide deck gives an introduction to OAuth 2.0, starting with some concepts, explaining the flow plus a few hints. The reminder of the slides are about implementing an OAuth 2.0 server using the Apache Amber library (renamed to Apache Oltu lately). My impression is that many developers shy away as soon as they hear "security" and so I did not only want to talk about the concepts of OAuth 2.0 but also wanted to show how easily you can implement an OAuth 2.0 server ... hope it reduces the fear of contact a bit ... ;-)
It seems that OAuth 2.0 is everywhere these days. Whether you are building a hot new single page web application (SPA), a native mobile experience, or just trying to integrate with the API economy, you can't go far without running into the popular authorization framework for REST/APIs and social authentication.
During Oktane15 (https://www.okta.com/oktane15/), Karl McGuinness, our Senior Director of Identity, demystified the powerful, yet often misunderstood, world of OAuth 2.0 and shared details on Okta’s growing support for OpenID Connect.
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
OAuth is not an API or a service: it is an open standard for authorization and any developer can implement it. OAuth is a standard that applications can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials, which we will go over in depth below. OpenID Connect (OIDC) is built on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user and to obtain their basic profile information.
This session covers how OAuth 2.0 and OIDC work, when to use them, and frameworks/services that simplify authentication.
Blog: https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
Online Tools:
- https://oauth.com/playground
- https://oauthdebugger.com
- https://oidcdebugger.com
Never Build Auth Again → https://developer.okta.com
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
An introduction to OAuth2 and OpenID Connect intended for a technical audience. This covers terminology, core concepts, and all the core grants/flows for OAuth2 and OpenID Connect
This presentation gives an overview on the work that is going on at OpenID Foundation in Liaison with Decentralized Identity Foundation to enable SSI applications based on OpenID Connect.
Обзор протокола OAuth 2.0. Способы внедрения в различные типы приложенийVitebsk Miniq
Презентация подготовлена по материалам выступления Максима Дадеркина на Vitebsk MiniQ #1 “Организация аутентифицированного доступа к web-приложениям и REST – средства, методы и протоколы” (29.01.2014).
LASCON: Three Profiels of OAuth2 for Identity and Access ManagementMike Schwartz
OAuth2, OpenID Connect and UMA: three technologies that can be used by organizations to control access to resources in the enterprise. I used these slides as a jumping point for a conversation at LASCON, a content rich conference sponsored by OWASP in Austin, TX.
A Survey on SSO Authentication protocols: Security and PerformanceAmin Saqi
In this document we survey some of Single-Sign-On web authentication protocols and compare their security and performance. In this survey we concentrate on OAuth 2.0 Authorization Framework, OpenID Connect 1.0, Central Authentication Service (CAS) 3.0 and Security Assertion Markup Language (SAML) 2.0 protocols.
Enterprise API adoption has gone beyond predictions. It has become the 'coolest' way of exposing business functionalities to the outside world. Both your public and private APIs, need to be protected, monitored and managed.
This session focuses on API Security. There are so many options out there to make someone easily confused. When to select one over the other is always a question - and you need to deal with it quite carefully to identify and isolate the tradeoffs. Security is not an afterthought. It has to be an integral part of any development project - so as for APIs. API security has evolved a lot in last five years. This talk covers best practices in building an API Security Ecosystem with OAuth 2.0, UMA, SCIM, XACML and LDAP.
APIs are now the standard entry point to the majority of newly created ‘back-end’ functionality. These APIs exist to provide not only a standardized, structured way to access the required features or functions, but also to act as ‘gatekeepers’, ensuring appropriate security, auditing, accounting etc. Security is always underpinned by identity and as such, APIs need to know if not who is accessing them, what is the context in which they are being accessed.
The industry is shifting to mobile and wearable devices, and desktop apps are now only a part of the overall application landscape. In this new mobile-first context, security is one of the key concerns for Enterprise Architects. Salesforce has implemented the OAuth 2.0 specification to handle user authentication using industry standards. After reviewing OAuth basics, this session will take you through the different approaches to implement OAuth authentication on the Force.com platform.
OAuth 2.0 - The fundamentals, the good , the bad, technical primer and commo...Good Dog Labs, Inc.
OAuth 2.0 seems to be a comprehensive framework for authorizing access to protected resources, but is it really? We can argue that OpenID Connect will make it enterprise ready, but level of adoption in the enterprise is yet to be seen. This primer describes the framework fundamentals,the good, the bad, and common OAuth 2.0 flows.
Microsoft Graph API Delegated PermissionsStefan Weber
Slidedeck presented during a webinar i held on13th December 2023 about how to consume Microsoft Graph API using user level permissions.
Webinar Recording https://youtu.be/2cSsg5ws1H4
What is REST?
What is RESTful Webservices
HTTP-REST Request Basics
HTTP-REST Vocabulary
Authentication (OAuth)
OAuth 2.0 Web Server Flow
REST APIs using Apex REST
Resources
Similar to The OAuth 2.0 Authorization Framework (20)
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Courier management system project report.pdfKamal Acharya
It is now-a-days very important for the people to send or receive articles like imported furniture, electronic items, gifts, business goods and the like. People depend vastly on different transport systems which mostly use the manual way of receiving and delivering the articles. There is no way to track the articles till they are received and there is no way to let the customer know what happened in transit, once he booked some articles. In such a situation, we need a system which completely computerizes the cargo activities including time to time tracking of the articles sent. This need is fulfilled by Courier Management System software which is online software for the cargo management people that enables them to receive the goods from a source and send them to a required destination and track their status from time to time.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
Automobile Management System Project Report.pdfKamal Acharya
The proposed project is developed to manage the automobile in the automobile dealer company. The main module in this project is login, automobile management, customer management, sales, complaints and reports. The first module is the login. The automobile showroom owner should login to the project for usage. The username and password are verified and if it is correct, next form opens. If the username and password are not correct, it shows the error message.
When a customer search for a automobile, if the automobile is available, they will be taken to a page that shows the details of the automobile including automobile name, automobile ID, quantity, price etc. “Automobile Management System” is useful for maintaining automobiles, customers effectively and hence helps for establishing good relation between customer and automobile organization. It contains various customized modules for effectively maintaining automobiles and stock information accurately and safely.
When the automobile is sold to the customer, stock will be reduced automatically. When a new purchase is made, stock will be increased automatically. While selecting automobiles for sale, the proposed software will automatically check for total number of available stock of that particular item, if the total stock of that particular item is less than 5, software will notify the user to purchase the particular item.
Also when the user tries to sale items which are not in stock, the system will prompt the user that the stock is not enough. Customers of this system can search for a automobile; can purchase a automobile easily by selecting fast. On the other hand the stock of automobiles can be maintained perfectly by the automobile shop manager overcoming the drawbacks of existing system.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
4. Resource Owner
An entity capable of granting access to a protected
resource.
When the resource owner is a person, it is referred to
as an end-user
5. Resource Server
The server hosting the protected resources, capable of
accepting and responding to protected resource
requests using access tokens
6. Authorization Server
The server issuing access tokens to the client after
successfully authenticating the resource owner and
obtaining authorization.
7. Client
An application making protected resource requests on
behalf of the resource owner and with its authorization.
The term "client" does not imply any particular
implementation characteristics (e.g., whether the
application executes on a server, a desktop, or other
devices).
8. ClientTypes
Confidential
Clients capable of maintaining the confidentiality of their credentials (e.g., client
implemented on a secure server with restricted access to the client credentials), or
capable of secure client authentication using other means.
Web Application
User-Agent-Based
Application
Public
Clients incapable of maintaining the confidentiality
of their credentials (e.g., clients executing on the
device used by the resource owner, such as an
installed native application or a web browser-based
application), and incapable of secure client
authentication via any other means.
Native Apllication
10. Protocol Endpoints
The authorization
endpoint is used to
interact with the
resource owner and
obtain an
authorization grant.
Authorization The token endpoint is
used by the client to
obtain an access
token by presenting
its authorization grant
or refresh token.
Token
11. Authorization Endpoint
The authorization endpoint is used to interact with the resource owner and obtain an
authorization grant. The authorization server MUST first verify the identity of the
resource owner.
the authorization server MAY support including the client credentials in the request-
body using the following parameters:
• client_id
REQUIRED. The client identifier issued to the client during the registration process described by
Section 2.2.
• client_secret
REQUIRED. The client secret. The client MAY omit the parameter if the client secret is an empty
string.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
14. Authorization Code
1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint.
The client includes its client identifier, requested scope, local state, and a redirection URI to which the
authorization server will send the user-agent back once access is granted (or denied).
2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether
the resource owner grants or denies the client's access request.
3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the
client using the redirection URI provided earlier (in the request or during client registration). The
redirection URI includes an authorization code and any local state provided by the client earlier.
4. The client requests an access token from the authorization server's token endpoint by including the
authorization code received in the previous step. When making the request, the client authenticates with
the authorization server. The client includes the redirection URI used to obtain the authorization code for
verification.
5. The authorization server authenticates the client, validates the authorization code, and ensures that the
redirection URI received matches the URI used to redirect the client in step (3). If valid, the authorization
server responds back with an access token and, optionally, a refresh token.
15. Request
• grant_type
REQUIRED. Value MUST be set to "authorization_code".
• code
REQUIRED. The authorization code received from the authorization server.
• redirect_uri
REQUIRED, if the "redirect_uri" parameter was included in the authorization request as
described in Section 4.1.1, and their values MUST be identical.
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in
Section 3.2.1.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
17. Implicit
1. The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client
includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will
send the user-agent back once access is granted (or denied).
2. The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource
owner grants or denies the client's access request.
3. Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using
the redirection URI provided earlier.
4. The redirection URI includes the access token in the URI fragment.The user-agent follows the redirection instructions by
making a request to the web-hosted client resource (which does not include the fragment per [RFC2616]).
5. The user-agent retains the fragment information locally.The web-hosted client resource returns a web page (typically
an HTML document with an embedded script) capable of accessing the full redirection URI including the fragment
retained by the user-agent, and extracting the access token (and other parameters) contained in the fragment.
6. The user-agent executes the script provided by the web-hosted client resource locally, which extracts the access token.
7. The user-agent passes the access token to the client.
18. Request
• response_type
REQUIRED. Value MUST be set to "token".
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in Section 3.2.1.
• redirect_uri
OPTIONAL. As described in Section 3.1.2.
• state
RECOMMENDED. An opaque value used by the client to maintain state between the request and
callback.The authorization server includes this value when redirecting the user-agent back to the client.
The parameter SHOULD be used for preventing cross-site request forgery as described in Section 10.12.
GET /authorize?
response_type=token
&client_id=s6BhdRkqt3
&state=xyz
&redirect_uri=https%3A%2F%2Fclient%2Eexample
%2Ecom%2Fcb HTTP/1.1
Host: server.example.com
19. Resource Owner Password Credential
1. The resource owner provides the client with its username and password.
2. The client requests an access token from the authorization server's token endpoint by
including the credentials received from the resource owner. When making the request,
the client authenticates with the authorization server.
3. The authorization server authenticates the client and validates the resource owner
credentials, and if valid, issues an access token.
2
3
1
20. Request
• grant_type
REQUIRED. Value MUST be set to "client_credentials".
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in
Section 3.2.1.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
21. Client Credential
1. The client authenticates with the authorization server and requests an
access token from the token endpoint.
2. The authorization server authenticates the client, and if valid, issues an
access token.
1
2
22. Request
• grant_type
REQUIRED. Value MUST be set to "client_credentials".
• client_id
REQUIRED, if the client is not authenticating with the authorization server as described in
Section 3.2.1.
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
&client_id=s6BhdRkqt3
&client_secret=7Fjfp0ZBr1KtDRbnfVdmIw
25. Scope
The authorization and token endpoints allow the client to specify the scope
of the access request using the "scope" request parameter. In turn, the
authorization server uses the "scope" response parameter to inform the client
of the scope of the access token issued. The value of the scope parameter is
expressed as a list of space- delimited, case-sensitive strings.
The strings are defined by the authorization server. If the value contains
multiple space-delimited strings, their order does not matter, and each string
adds an additional access range to the requested scope.