jspωiki
Web Blog_blogentry_140218_1

2018-02-14#

OAuth 2.0 and Authentication#

We run across a lot of question similar to: How the resource server can know who is the user and what are his permissions?

Too often people are trying to solve the the wrong problem. Let's pretend there is a Web Application (OAuth Client) that provides the Weather to a User (Resource Owner).

The Web Application keeps some data about the user, perhaps their Zip Code so the Web Application can serve up the Weather each time the user comes to the Web Application. Perhaps the Web Application uses a cookie to store the Zip Code.

Obviously the Web Application has a relationship with the user.

The Web Application needs to know ONLY some identification of the User. The Web Application should not be too worried if the user is really authentic, only needs to know the User Zip Code.

The Web Application then calls a weather API and provides the Zip Code to the Weather Service API (ie Resource Server). The Web Application obviously has a relationship with the Weather Service API, but the user does not. There is no reason that the Weather Service would need to know anything about the user.

So how can we apply OAuth 2.0 with this scenario?

The Web Application could use OAuth 2.0 to obtain Consent from the user and set up a relationship with the user. However, in this case, there is no relationship between the Weather Service API Resource Server and the User. The relationship is between the Web Application and the Weather Service API. We could certainly use OAuth 2.0 to provide this relationship as the Web Application (ie OAuth Client) and the Weather Service API (ie Resource Server).

More Information#

There might be more information for this subject on one of the following: ...nobody