OAuth in its various versions is the gold standard for Authorization (and usingOpenID Connect for Authentication as well). There are plenty of introductions around explaining OAuth. My favorite HTTP tool Postman makes it really simple to obtain access via OAuth.
Nevertheless all those explanations are quite high level, so I wondered what happens on the wire for the getToken part so I started digging. This is what I found. Nota bene: There is no inherit security in OAuth if you don't use https.
- Authorization server: server to interact with to get an authorization
- Client identifier (ClientID): "userid" of the application
- Client Secret: "password" of the application
- A user
I'm not looking at the Resource Server here - it only comes into play before or after the actual token process.
The Form-Post Flow
There are several flows available to pick from. I'm looking at the Form-Post flow where user credentials are passed to the authentication server to obtain access and refresh tokens.
For this flow we need to post a HTTP form to the authorization server. The post has 2 parts: Header and body. A request looks like this:
POST /yourOAuthEndPoint HTTP/1.1
Accept-Encoding: gzip, deflate
Authorization: Basic Y2xpZW50aWQ6Y2xpZW50c2VjcmV0
Authorization header is just as Base64version of
clientid:clientsecret - you have t replace it with your actual info
- Content-Type must be
- The body is just one line with no spaces, I split it only for readability
- scope is a encoded list the + signs are actually spaces. Keeping that in mind you want to keep the server side scope names simple
- You need to repeat the clientid as header value
As a result you get back a JSON structure with authorization information. It can look like this:
The result is easy to understand:
expires_in: Duration for the access token in seconds
Bearer denotes that you call your resource server with a header value of
Authorization: Bearer wildStringForAccess
As usual YMMV