[#2][Learning] OAuth Framework - Flow & Implementation

https://www.4rth4s.xyz/2021/02/learning-about-oauth-framework.html [#1]

After having basic overview about Oauth2, we should discuss in details about its flow and how to implement it in several ways. Let's do this .

I. Client Credentials Grant

The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is typically used by clients to access resources about themselves rather than to access a user's resources.

Flow

Implementation 

Server

Postman

II. Authorization Code Grant

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.It is recommended that all clients use the PKCE extension with this flow as well to provide better security.

 Flow

Implementation 

Server port 8081

- Authorization server: 

- Resource Server

- Protected Resource

Client: port 8082

Oauth Dance:

- First of all, Resource Owner interact with client. He want to delegate limited permission to client.

- After clicking authorize button, he is redirected to Authorization Server login page. Client send a request to Authorization Server with neccessary parameters.

- Resource Owner input his credentials to Authorization Server, prove that he is the owner and he permit the client access to his resource. If success, he is redirected with Authorizaton code. this Authorization code will be stored in each client's request. With this authorization code, the Client will receive an access token from server. 

This below "code" parameter is Authorization_code. After request to server, the server will give access token to client. Client take it and continue access to Protected Resource

- Client access to Resource Server succesfully with access token

 Postman

Happy Learning !