- OAuth2 is an authorization framework
- There are different authorization flows , depending on the app type (SPA , Server side, mobile, TV, smart devices etc)
OAuth2 = Open Authorization 2.0 (delegated authorization framework)
https://www.youtube.com/watch?v=7D-OU4hZW70
1.1. Request To Authorization Endpoint
GET {Authorization Endpoint}?response_type=code // - Required&client_id={Client ID} // - Required&redirect_uri={Redirect URI} // - Conditionally required&scope={Scopes} // - Optional&state={Arbitrary String} // - Recommended&code_challenge={Challenge} // - Optional&code_challenge_method={Method} // - OptionalHTTP/1.1HOST: {Authorization Server}
1.2. Response From Authorization Endpoint
HTTP/1.1 302 FoundLocation: {Redirect URI}?code={Authorization Code} // - Always included&state={Arbitrary String} // - Included if the authorization// request included 'state'.
1.3. Request To Token Endpoint
POST {Token Endpoint} HTTP/1.1Host: {Authorization Server}Content-Type: application/x-www-form-urlencodedgrant_type=authorization_code // - Required&code={Authorization Code} // - Required&redirect_uri={Redirect URI} // - Required if the authorization// request included 'redirect_uri'.&code_verifier={Verifier} // - Required if the authorization// request included// 'code_challenge'.
If the client type of the client application is “public”, the client_id request parameter is additionally required. On the other hand, if the client type is “confidential”, depending on the client authentication method, an Authorization HTTP header, a pair of client_id & client_secret parameters, or some other input parameters are required. See “OAuth 2.0 Client Authentication” for details.
1.4. Response From Token Endpoint
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-storePragma: no-cache{"access_token": "{Access Token}", // - Always included"token_type": "{Token Type}", // - Always included"expires_in": {Lifetime In Seconds}, // - Optional"refresh_token": "{Refresh Token}", // - Optional"scope": "{Scopes}" // - Mandatory if the granted// scopes differ from the// requested ones.}
No comments:
Post a Comment