Identification, Authentication and Authorization

Code flow

3-legged OAuth

  • Enables checking the identity of the 3 involved actors.

OAuth server authenticates the resource owner

  • Username + password or other means.

OAuth server authenticates the client

  • ClientID + ClientSecret + HTTP basic authorization.

Client authenticates the OAuth server

  • Certificate + URL.

Requirements

  • Confidential application types.

  • Secure storage for tokens, ClientID and ClientSecret.

Setup

  • Client registration in the OAuth server.

    • Client receives ClientID and ClientSecret.

    • Not regulated by OAuth.

Resource owner uses a server-based Web App

  • The client.

The client uses the resource server API to get a resource

  • The resource server redirects the client to the OAuth server.

The OAuth server authenticates the resource owner

  • And sends an authorization grant to the client.

The client gets an access token from the OAuth server

  • Using its credentials (to have access permission).

  • Using its authorization grant.

The client uses again the resource server API to get a resource

  • This time providing an access token.

PreviousOAuth flowsNextImplicit flow

Last updated