Few key points to remember
- Protocol for token based authorization
- Delegate access without sharing credentials. Grant client to perform certain actions on behalf of user
- Technically, oAuth is not authenticating user. User needs to pre authenticated to receive an access token. ( note: most implement both together and most confused over the concept of authentication + authorization )
- Can have 3rd party OAuth providers. eg: Google,Facebook, Github, your OAuth server
Key Items to Remember
Client
Authorization Server
Resource Owner
Resource Server
Key Words / Terms
- Access Token - random string , human unreadable
- Refresh Token - Same as Access Token which used to renew access when expired
- Client-Id / Secret - Identify the app/client
- Scope - Allowed permission
- JWT - most used mechanism to pass information between services. Support Encryption.
Grant Types
Authorization Code
Client Credentials
Implicit
Password
Device Code
No comments:
Post a Comment