search

Code flow

hashtag
3-legged OAuth

  • Enables checking the identity of the 3 involved actors.

hashtag
OAuth server authenticates the resource owner

  • Username + password or other means.

hashtag
OAuth server authenticates the client

  • ClientID + ClientSecret + HTTP basic authorization.

hashtag
Client authenticates the OAuth server

  • Certificate + URL.

hashtag
Requirements

  • Confidential application types.

  • Secure storage for tokens, ClientID and ClientSecret.

hashtag
Setup

  • Client registration in the OAuth server.

    • Client receives ClientID and ClientSecret.

    • Not regulated by OAuth.

hashtag
Resource owner uses a server-based Web App

  • The client.

hashtag
The client uses the resource server API to get a resource

  • The resource server redirects the client to the OAuth server.

hashtag
The OAuth server authenticates the resource owner

  • And sends an authorization grant to the client.

hashtag
The client gets an access token from the OAuth server

  • Using its credentials (to have access permission).

  • Using its authorization grant.

hashtag
The client uses again the resource server API to get a resource

  • This time providing an access token.

Last updated