Posted on November 24, 2018

oauth 2.0 standard

OAuth 2.0 Overall flow

+--------+                               +---------------+
|        |--(A)- Authorization Request ->|   Resource    |
|        |                               |     Owner     |
|        |<-(B)-- Authorization Grant ---|               |
|        |                               +---------------+
|        |
|        |                               +---------------+
|        |--(C)-- Authorization Grant -->| Authorization |
| Client |                               |     Server    |
|        |<-(D)----- Access Token -------|               |
|        |                               +---------------+
|        |
|        |                               +---------------+
|        |--(E)----- Access Token ------>|    Resource   |
|        |                               |     Server    |
|        |<-(F)--- Protected Resource ---|               |
+--------+                               +---------------+


Client, User(Resource owner), Authorization server, Resource server

- Client

3rd Party apps/servies which utilize oauth system.

- User(Resource)

Actual users who use the 3rd party app/service.

- Authorization Server

Authorization server provide authorization code, Access token, and verify tokens.

- Resource Server

A server which is containing resource. Each resource should be requested with valid access token.

Grant types

There are several grant types in common.

Following grant types are most common grant types. (You can define your own grant type)

1. Authorization Code
2. Implicit
3. Password
4. Client Credentials
5. Device Code
6. Refresh Token

1. Authorization Code

This grant type is used when service have its own web Backend Server. Backend Server request to oauth server to get authorization code and they exchange authorization code with access token. You need to provie client_id and client_credential or given API key in order to get Authorization code.

2. Implicit

This grant type is used assuming that user already got authorization code. So you can get access token without any authorization process. Actually this method is not recommended and npm oauth2-server doesn’t provide this method.

3. password

This grant type don’t need to get authorization code also. Rater than this type provide username/password to get access token. If username/password is valid, access token is returned. (clientId & client_credential is essential) Since password type require username/password, this type should be used my first party only. (Not third party)

4. client credentials

This grant type is more simple than password. If you provide clientId and client credential you can get access token.

5. Device

This grant type is not used frequently and npm oauth2-server doesn’t provide this grant type. This type is used by browserless or input-constrained devices. You can get access token with clientId & client credential & device id.

6. Refresh token

This grant type is used to renew access token with refresh token. When you are provided token, you can get refresh token also. If you provide clientId & client credential & refresh token, you can get renewed access token.

Bearer token

Bearer token is a most widely used as access token. This token type can be expressed as hexa-decimal format or structured format lie JWT(JSON Web Token)

State

State is used to protect XSRF attack. Your application generate a random string and set it to the authorization server. And authorization server send back the state parameter. If both states are same, it is OK.

Redirect Uri

Redirect Uri is a uri which redirected with authorization code. Once resource owner get authorization code from authorization server, User redirected to uri which is provided by client. And client service request token with authorization code in that redirect uri.