OAuth 2.0 Overview
Written on by Markus Ahlstrand.
The RFC6749 which specifies how OAuth 2.0 works can be a bit hard to read so I asked our friend chat-gpt to make a summary of the different endpoints and the authentication flows. Here it goes:
Overview of OAuth 2.0
| Section | Description |
|---|---|
| 1. Introduction | Overview of OAuth 2.0 framework, its purpose, and background. |
| 1.1. Roles | Defines four roles: resource owner, resource server, client, and authorization server. |
| 1.2. Protocol Flow | Describes the interaction between the four roles using an abstract protocol flow. |
OAuth 2.0 Protocol Endpoints and Parameters
| Endpoint | Description | Parameters |
|---|---|---|
| Authorization Endpoint | Used by the client to obtain authorization from the resource owner via user-agent redirection. | response_type, client_id, redirect_uri, scope, state |
| Token Endpoint | Used by the client to exchange an authorization grant for an access token, typically with client authentication. | grant_type, code, redirect_uri, client_id |
| Redirection Endpoint | Used by the authorization server to return responses containing authorization credentials to the client via the resource owner user-agent. | None (URI only) |
I've provided an easy-to-read summary of the OAuth 2.0 Authorization Framework along with a table detailing the available endpoints and their parameters. Here is the breakdown:
OAuth 2.0 Authorization Framework Overview
| Section | Description |
|---|---|
| 1. Introduction | Overview of OAuth 2.0 framework, its purpose, and background. |
| 1.1. Roles | Defines four roles: resource owner, resource server, client, and authorization server. |
| 1.2. Protocol Flow | Describes the interaction between the four roles using an abstract protocol flow. |
| 1.3. Authorization Grant | Explains the four types of authorization grants: authorization code, implicit, resource owner password credentials, and client credentials. |
| 3. Protocol Endpoints | Describes three endpoints: Authorization, Token, and Redirection endpoints. |
| 4. Obtaining Authorization | Details the process of obtaining authorization through different grant types. |
OAuth 2.0 Protocol Endpoints and Parameters
Authorization Endpoint
Description
The Authorization Endpoint is used by the client to obtain authorization from the resource owner via user-agent redirection.
Parameters
- response_type: Indicates the type of authorization request. Must be either
codefor authorization code grant ortokenfor implicit grant. - client_id: The client identifier issued during the client registration process.
- redirect_uri: The URI to which the authorization server will send the user-agent back once the access is granted or denied.
- scope: The scope of the access request. Defines the permissions requested by the client.
- state: An opaque value used by the client to maintain state between the request and callback. It is used for preventing cross-site request forgery.
Token Endpoint
Description
The Token Endpoint is used by the client to exchange an authorization grant for an access token. This typically involves client authentication.
Parameters
- grant_type: Specifies the type of grant being used. Must be set to
authorization_codefor authorization code grant orrefresh_tokenfor refreshing an access token. - code: The authorization code received from the authorization server.
- redirect_uri: The same redirect URI used in the authorization request, if provided.
- client_id: The client identifier, required if the client is not authenticating with the authorization server.
- client_secret: The client secret, required if the client is confidential and authenticating with the authorization server.
Redirection Endpoint
Description
The Redirection Endpoint is used by the authorization server to return responses containing authorization credentials to the client via the resource owner's user-agent.
Parameters
There are no parameters for the Redirection Endpoint itself as it is simply a URI that the authorization server uses to send the authorization credentials to the client. However, the response sent to this endpoint includes parameters.
Response Parameters
- code: The authorization code generated by the authorization server. Used in authorization code grant.
- access_token: The access token issued by the authorization server. Used in implicit grant.
- token_type: The type of the token issued.
- expires_in: The lifetime in seconds of the access token.
- scope: The scope of the access token if different from the one requested by the client.
- state: The state parameter included in the client authorization request.
Detailed Table of Endpoints and Parameters
| Endpoint | Parameter | Description |
|---|---|---|
| Authorization Endpoint | response_type | Indicates the type of authorization request (code for authorization code grant, token for implicit grant). |
| client_id | The client identifier issued during the client registration process. | |
| redirect_uri | The URI to which the authorization server will send the user-agent back once access is granted or denied. | |
| scope | The scope of the access request, defining permissions requested by the client. | |
| state | An opaque value used to maintain state between the request and callback, preventing cross-site request forgery. | |
| Token Endpoint | grant_type | Specifies the type of grant being used (authorization_code for authorization code grant, refresh_token for refreshing an access token). |
| code | The authorization code received from the authorization server. | |
| redirect_uri | The same redirect URI used in the authorization request, if provided. | |
| client_id | The client identifier, required if the client is not authenticating with the authorization server. | |
| client_secret | The client secret, required if the client is confidential and authenticating with the authorization server. | |
| Redirection Endpoint | code | The authorization code generated by the authorization server. Used in authorization code grant. |
| access_token | The access token issued by the authorization server. Used in implicit grant. | |
| token_type | The type of the token issued. | |
| expires_in | The lifetime in seconds of the access token. | |
| scope | The scope of the access token if different from the one requested by the client. | |
| state | The state parameter included in the client authorization request. |
OAuth 2.0 Protocol Authentication Flows
1. Authorization Code Grant
Description
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. This flow involves the client directing the resource owner to the authorization server, which then redirects back to the client with an authorization code.
Steps
- Client requests authorization: The client directs the resource owner to the authorization server with a request containing the client identifier, requested scope, state, and redirection URI.
- Resource owner grants authorization: The authorization server authenticates the resource owner and asks for authorization.
- Authorization server issues code: If the resource owner grants access, the authorization server redirects the user-agent back to the client with an authorization code.
- Client requests access token: The client requests an access token from the authorization server by presenting the authorization code, client credentials, and the redirection URI.
- Authorization server issues token: The authorization server authenticates the client and issues an access token and, optionally, a refresh token.
2. Implicit Grant
Description
The implicit grant type is used to obtain access tokens directly and is optimized for public clients, such as those running in a browser using JavaScript. This flow involves fewer steps and does not include client authentication.
Steps
- Client requests authorization: The client directs the resource owner to the authorization server with a request containing the client identifier, requested scope, state, and redirection URI.
- Resource owner grants authorization: The authorization server authenticates the resource owner and asks for authorization.
- Authorization server issues token: If the resource owner grants access, the authorization server redirects the user-agent back to the client with an access token included in the URI fragment.
3. Resource Owner Password Credentials Grant
Description
The resource owner password credentials grant type is used when the resource owner has a high degree of trust in the client and can provide their username and password directly to the client, which then exchanges these credentials for an access token.
Steps
- Client requests access token: The client requests an access token from the authorization server by including the resource owner's credentials (username and password).
- Authorization server issues token: The authorization server authenticates the client and the resource owner, and if valid, issues an access token.
4. Client Credentials Grant
Description
The client credentials grant type is used when the client is acting on its own behalf or accessing resources it controls, typically used by clients to access their own resources or services.
Steps
- Client requests access token: The client requests an access token from the authorization server by presenting its client credentials.
- Authorization server issues token: The authorization server authenticates the client and, if valid, issues an access token.
Detailed Overview of Authentication Flows
| Flow | Description | Steps |
|---|---|---|
| Authorization Code Grant | Used for obtaining both access and refresh tokens, optimized for confidential clients. | 1. Client requests authorization. <br> 2. Resource owner grants authorization. <br> 3. Authorization server issues code. <br> 4. Client requests access token. <br> 5. Authorization server issues token. |
| Implicit Grant | Used for obtaining access tokens directly, optimized for public clients (e.g., JavaScript applications). | 1. Client requests authorization. <br> 2. Resource owner grants authorization. <br> 3. Authorization server issues token. |
| Resource Owner Password Credentials Grant | Used when the client has a high degree of trust, the resource owner provides their credentials directly to the client. | 1. Client requests access token. <br> 2. Authorization server issues token. |
| Client Credentials Grant | Used when the client is acting on its own behalf or accessing resources it controls. | 1. Client requests access token. <br> 2. Authorization server issues token. |