Coding Cloud

OAuth2.0 Flow (with the 4 grant types, rfc6749)

MD
R
Markdown

Official docs from Internet Engineering Task Force IETF (Microsoft 2012): https://tools.ietf.org/html/rfc6749

OAuth2.0 Specification (5 grants)

Allow a client application to get an access_token (users permission's) in order to access an API endpoint.

Terms Used

  • Resource Owner: User
  • Resource Server: API
  • Client: Application (server, desktop, mobile or other)
  • Authorization Server: Client token issuer

Grants

Authorization Code (Google, Facebook)

  1. <Client> will redirect user to <Authorization Server>. https:/facebook.com?oauth/?response_type=code&client_id=2&redirect_uri=mysite.com/redirect&scope=desktop&state=csrf-token
  2. <Authorization Server> will validate all the fields...
  3. <Authorization Server> prompts user for credentials and client approval
  4. <Authorization Server> redirects user to 'redirect_uri' https://mysite.com?code=authcode&state=csrf-token
  5. <Client> POST to <Authorization Server> https:/facebook.com?oauth/authorize/?grant_type=authorization_code&client_id=xxxx&client_secret=yyyy&redirect_uri=mysite.com/redirect&code=authcode
  6. <Authorization Server> respond with JSON to <Client> { token_type: 'Bearer', expires_in: ttl, access_token: token, refresh_token: token acquire new access_token after original has expired }
  7. <Client> calls the API of <Resource Server> https:/facebook.com?getUser

Implicit (First Party Client (eg. Spotify), SPAs, no client secret keeping, no refresh tokens)

  1. <Client> will redirect user to <Authorization Server>. https:/facebook.com?oauth/?response_type=token&client_id=2&redirect_uri=mysite.com/redirect&scope=desktop&state=csrf-token
  2. <Authorization Server> will validate all the fields...
  3. <Authorization Server> prompts user for credentials and client approval
  4. <Authorization Server> redirects user to 'redirect_uri' https://mysite.com?token_type=Bearer&state=csrf-token&expires_in=ttl&access_token=token

Resource Owner Credentials (trusted apps on web and mobile, frontend apps only, *maybe server)

  1. <Client> will prompt the user for credentials
  2. <Client> POSTS to <Authorization Server> Body Params { grant_type: password, client_id: xxxx, client_secret: yyyy, scope: desktop, username: aaaa, password: bbbb }
  3. <Authorization Server> will respond { token_type: Bearer, expires_in: ttl, access_token: yyyy, refresh_token: zzzz }

Client Credentials (server to server only, simplest)

  1. <Client> POSTS to <Authorization Server> Body Params { grant_type: client_credentials, client_id: xxxx, client_secret: yyyy, scope: desktop }
  2. <Authorization Server> will respond { token_type: Bearer, expires_in: ttl, access_token: yyyy }

Refresh Token (get new access tokens without redirects) ** Secondary grant for easy refresh only

  1. <Client> POSTS to <Authorization Server> Body Params { grant_type: refresh_token, client_id: adsasd, refresh_token: xxxxxx, client_secret: yyyy, scope: desktop }
  2. <Authorization Server> will respond { token_type: Bearer, expires_in: ttl, access_token: yyyy, refresh_token: ppppp }

Bash Scripts

curl -X POST -d "client_id=aaaaa&amp;client_secret=zzzzzz&amp;grant_type=password&amp;username=xxxxxx;password=yyyyy" https://start.exactonline.nl/api/oauth2/auth
{
  "access_token": "a503faf9-45b5-4fec-8334-337284a66ea4",
  "token_type": "bearer",
  "refresh_token": "486adfde-757b-4d37-81d7-446c2ec4bd91",
  "expires_in": 43199
}

curl --header "Authorization: Bearer a503faf9-45b5-4fec-8334-337284a66ea4" http://localhost:9001/telemetry/v1/

Created on 12/12/2017