Scribd
Upload
147 views1 page

OAuth 2.0 Guide for Developers

The document outlines four roles in OAuth 2.0 authentication: the resource owner, resource server, client application, and authorization server. It then describes three common OAuth 2.0 grant flows: the authorization code grant, resource owner credentials grant, and client credentials grant. Each grant flow involves a client request to the authorization server for an access token, followed by a server response providing the access token.

Uploaded by

Vicente de Jesus Gonzalez Escobar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
147 views1 page

OAuth 2.0 Guide for Developers

The document outlines four roles in OAuth 2.0 authentication: the resource owner, resource server, client application, and authorization server. It then describes three common OAuth 2.0 grant flows: the authorization code grant, resource owner credentials grant, and client credentials grant. Each grant flow involves a client request to the authorization server for an access token, followed by a server response providing the access token.

Uploaded by

Vicente de Jesus Gonzalez Escobar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

The person that owns the data that is to

Resource Owner be shared

Resource Server The server hosting the resources

Roles Application requesting access to the


Client Application resources stored in the resource server

Server authorizing the client app to access


Authorization Server to the resources of the resource owner

response_type with the value "code"

client_id client identifier

Client request redirect_uri client redirect URI

scope space delimited list of scopes

Flow 1
state with a CSRF token

code authorization code


Server response
state state parameter sent in original request

Authorization Code Grant (Most common grant_type with the value "authorization_code"
for Facebook or Google login)
client_id client identifier

Client request client_secret client secret

redirect_uri same redirect uri

code with the authorization code


Flow 2
token_type usually word "Bearer"

expires_in integer representing the TTL

Server response
access_token the access token

a token that can be used to acquire a new


refresh_token access token

grant_type with the value "password"

client_id with the client's id

client_secret with the client's secret


Client request
scope space delimited list of scopes

username user's username

Resource Owner Credentials (Password)


Grant (First party highly trusted apps) password user's password

token_type with the value "Bearer"

expires_in integer representing the TTL

Server response
access_token the access token

a token that can be used to acquire a new


refresh_token access token
OAuth 2.0
grant_type with the value "client_credentials"

client_id with the client's id


Client request
client_secret with the client's secret

Grants Client Credentials Grant (Machine to


scope space delimited list of scopes
machine)

token_type with the value "Bearer"

Server response expires_in integer representing the TTL

access_token the access token

response_type with the value "token"

client_id with the client's id

Client request redirect_uri client redirect URI

scope space delimited of scopes


Implicit Grant (User agent or native apps
where is unsecured to store the client
state with a CSRF token
secret)

token_type with the value "Bearer"

expires_in integer representing the TTL


Server response
access_token the access token

state state parameter sent in original request

grant_type with the value "refresh_token"

refresh_token with the refresh token

Client request client_id with the client's id

client_secret with the client's secret

scope space delimited of scopes


Refresh Token Grant
token_type with the value "Bearer"

expires_in integer representing TTL

Server response
access_token the access token

a refresh token to acquire a new access


refresh_token token

client_id

client_secret

Common fields authorizarion_code

access_token

scopes (permissions)

You might also like