OAuth 2.0: Difference between revisions

From bibbleWiki
Jump to navigation Jump to search
Newer edit →
VisualWikitext
Created page with "=Introduction= ==History== Previously we used *XML *SOAP *SAML or WS-* Now we Use *JSON *HTTP APIs *OAuth and OpenID Connect ==Credential Sharing== Previously we used to use c..."
 
Line 32: Line 32:
*Authorization Server
*Authorization Server
Here is the flow for OAuth 2.0
Here is the flow for OAuth 2.0
[[File:OAuth Flow.png|500px]]<br>
[[File:OAuth Flow2.png|500px]]<br>
How the API trusts the access token is out of scope for OAuth but if is up to the Protected Resource to do this before sending the response.

Revision as of 08:27, 17 July 2021

Introduction

History

Previously we used

  • XML
  • SOAP
  • SAML or WS-*

Now we Use

  • JSON
  • HTTP APIs
  • OAuth and OpenID Connect

Credential Sharing

Previously we used to use credential Sharing. E.g. Problems with this are

  • We can impersonate the use
  • Issues around revocation
  • Exposed user credentials

Cookies

Next solution was cookies but CSRF and XSRF attacks were common.

API Key

Next API Key, this works well accept for where the app has no backend. E.g. Single Page App.

  • API Keys have no standard
  • Expiration management

OAuth 2.0

Features include

  • Authorization framework
  • Built for HTTP APIs
  • Scoped access (User defined what can be used)
  • Delegation Protocol

Players include

  • Protected Resource (Our API)
  • Client (requesting application)
  • Resource Owner (the user)
  • Authorization Server

Here is the flow for OAuth 2.0
How the API trusts the access token is out of scope for OAuth but if is up to the Protected Resource to do this before sending the response.

Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=OAuth_2.0&oldid=5244"