OAuth is an open standard to give access to somebody without using password on every request. It usually involves using tokens. OAuth is published in two versions, OAuth 1.0 on 2009 and OAuth 2.0 on 2013. OAuth is a service that is complementary to and distinct from OpenID. OAuth is an authorization protocol, rather than an authentication protocol. [1]
The requesting, granting, and life management of this token is often referred to as a “flow”. Private clients are typically applications with a backend that can keep a secret to use for authenticating. Public clients have no means of securely keeping a secret, for instance, a single page application that usually doesn’t have a backend. [2] Four basic flows are:
- Code Flow: for private clients, the server responds with a code.
- Implicit Flow: for public clients like SPAs, it is simpler and the server responds with an access token.
- Client Credentials Flow: designed for server-to-server, server responds with an access token, no refresh token exists here.
- Resource Owner Password Credentials Flow: password is entered to the client itself, very simple and designed for legacy and migration only
Code Flow includes these steps [3]:
- Step 1 — Authorization Code Link
- Step 2 — User Authorizes Application
- Step 3 — Application Receives Authorization Code
- Step 4 — Application Requests Access Token
- Step 5 — Application Receives Access Token
The Proof Key for Code Exchange (PKCE) is an extension to the Code flow which allows it to be used over public clients.
Top comments (0)