Friday, June 16, 2023

MS - Security - OAuth 2

 Few key points to remember

  • Protocol for token based authorization
  • Delegate access without sharing credentials. Grant client to perform certain actions on behalf of user
  • Technically, oAuth is not authenticating user. User needs to pre authenticated to receive an access token. ( note: most implement both together and most confused over the concept of authentication + authorization )
  • Can have 3rd party OAuth providers. eg: Google,Facebook, Github, your OAuth server


Key Items to Remember

Client

Authorization Server

Resource Owner

Resource Server


Key Words / Terms

  • Access Token - random string , human unreadable
  • Refresh Token - Same as Access Token which used to renew access when expired
  • Client-Id / Secret - Identify the app/client
  • Scope - Allowed permission
  • JWT - most used mechanism to pass information  between services. Support Encryption.


Grant Types

Authorization Code

Client Credentials

Implicit

Password

Device Code






No comments:

Post a Comment