2015-06-14#
OAuth 2.0 Authorization#
Here we show the Authorization Code Grant Type which would typically be used for WEB Server type applications.Some basic conditions must exist in advance:
- The OAuth Client (The Photo application) must be aware of the correct Authorization Server associated with the Resource Server (Protected Photos)
- The OAuth Client (The Photo application) must have registered with the correct Authorization Server and provided them with his:
- The OAuth Client (The Photo application) must know the Authorization Endpoint.
- The specifications do not indicate any communication between the Authorization Server associated with the Resource Server (Protected Photos).
1) The Resource Owner (user) accesses the OAuth Client (The Photo application).
2) The OAuth Client constructs the Authorization Request as a URI, adding the following parameters:
- response_type - REQUIRED Value MUST be set to "code".
- client_id - REQUIRED The client identifier
- redirect_uri - OPTIONAL as it may be registered with Authorization Server in advance.
- scope - OPTIONAL The "Desired" scope of the access request
- state - RECOMMENDED An opaque value used by the client to maintain state between the request and callback.
3) The Resource Owner (user) is redirected by the OAuth Client (The Photo application) with the Authorization Request to the Authorization Endpoint on the Authorization Server.
4) The Resource Owner (user) Authenticates the Authorization Server.
- After Authentication the Resource Owner (user) is asked if she wants to grant access to their Resource Server (Protected Photos) to the OAuth Client (The Photo application).
- If the user accepts, the user is redirected back to the OAuth Client (The Photo application).
- OAuth Client (The Photo application) has pre-registered a redirect_uri
5) The Resource Owner (user) is then redirected to the redirect_uri of the OAuth Client (The Photo application).
- Along with the redirection, the Authorization Server sends an Authorization Code, representing the authorization.
6) When the OAuth Client (The Photo application) redirect_uri is accessed, the OAuth Client (The Photo application) connects directly to the Authorization Server and creates Access Token Request which includes:
- the Authorization Code which includes any Resource Owner (user) "Authorized" OAuth Scopes
- its own client_id
- Client Secret
- "Requested" OAuth Scopes
7) If the Authorization Server can accept these values, the Authorization Server sends back an Access Token Response which includes:
- Access Token
- Refresh Token OPTIONALLY
8) The OAuth Client (The Photo application) can now use the Access Token to request resources from the Resource Server. The Access Token serves as both:
- Authentication of the OAuth Client (The Photo application)
- Authorization by the Resource Owner (user) to to access the Resource Server (Protected Photos).