Oauth 2.0 - Authorization framework
This section talks about OAuth 2.0 (OAuth 2.0 replaces OAuth 1.0)
The following two specifications provide a general framework for third-party applications (know as the client) to obtain and use limited access to HTTP resources (page, image,…):
- the OAuth 2.0 Authorization Framework (referred as OAuth)
- and the OAuth 2.0 Bearer Token Usage (referred as Bearer Token)
In Oauth, for instance, an end-user (resource owner) can grant a printing service (client) access to her protected photos stored at a photo-sharing service (resource server), without sharing her username and password with the printing service. Instead, she authenticates directly with a server trusted by the photo-sharing service (authorization server), which issues the printing service delegation-specific credentials (ie access token).
It allows arbitrary clients (app) (first-party and third-party) to access user’s (resource owner’s) resources on resource servers via authorization servers.
Role and flow
The OAuth spec defined 4 roles in the authorization process.
It separates the role of the client (the app) from that of the resource owner (the user).
In OAuth, the client (the app) requests access to protected resources controlled by the resource owner (the user) (and hosted by the resource server), and is issued a different set of credentials than those of the resource owner (the user).
Instead of using the resource owner's credentials to access this protected resources, the client obtains:
- an access token
- and optionally a refresh tokens
OAuth 2.0 specification defines 4 types of grant and their respective authorization flows.
Documentation / Reference
- Code example: Google Sheet
- https://tools.ietf.org/html/rfc6749#section-4.2 - To continue