Auth2

 

 

1       INTRODUCTION

OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.

2       ABSTRACT PROTOCOL FLOW

3       GRANT TYPE

• Authorization code
• Implict
• Resouce Owner Password Credentials (User Name / Password)
• Client Credentials

3.1     Authorization Code

3.1.1   Senario

• Public Network 
• High Security

3.1.2  Application Registration

• Application Name
• Application Website
• Redirect URI or Callback URL

3.1.3 Client ID and Client Secret

• ID: App Identity
• Secret: Private Key Between App and Auth API

3.1.4   FLow

3.1.5  Sample

3.2     Implict

The implicit grant type is used for mobile apps and web applications (i.e. applications that run in a web browser), where the client secret confidentiality is not guaranteed. The implicit grant type is also a redirection-based flow but the access token is given to the user-agent to forward to the application, so it may be exposed to the user and other applications on the user's device. Also, this flow does not authenticate the identity of the application, and relies on the redirect URI (that was registered with the service) to serve this purpose.

3.2.1   Senario

• Local Network 
• Low Security

3.2.2    FLow

3.3   Resource Owner Password Credentials

• Highly Trusted

3.4   Client Credentials

• No Frontend
• Get token directly by client id and secret

4   Others     

4.1  Session Id and Token

Session Id list is maintained by server.  If there is load balance process. there is a sync problem.

But token not.

4.2 Token and Refresh token

There is an expired time. once it is expired. A new token can be renewed by refresh token.

4.3 Client registration

Ensure other app can't get access token even it gets illegally the auth code.

5   Q & A     

5.1   URL is protected by https?

Domain name is not so for it used to get ip address by DNS server.

But path is so.

5.2   Why is Local storage used?

The size is larger than cookie.

Also it is persistance.

5.3  Why is Implict Type used for token is in brower?

 It is used in low security network.

 https://***#token=? #token is not be sent to network.