OAuth 2.0

From bibbleWiki

Revision as of 08:24, 17 July 2021 by Iwiseman (talk | contribs) (Created page with "=Introduction= ==History== Previously we used *XML *SOAP *SAML or WS-* Now we Use *JSON *HTTP APIs *OAuth and OpenID Connect ==Credential Sharing== Previously we used to use c...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Introduction

History

Previously we used

XML
SOAP
SAML or WS-*

Now we Use

JSON
HTTP APIs
OAuth and OpenID Connect

Credential Sharing

Previously we used to use credential Sharing. E.g. Problems with this are

We can impersonate the use
Issues around revocation
Exposed user credentials

Cookies

Next solution was cookies but CSRF and XSRF attacks were common.

API Key

Next API Key, this works well accept for where the app has no backend. E.g. Single Page App.

API Keys have no standard
Expiration management

OAuth 2.0

Features include

Authorization framework
Built for HTTP APIs
Scoped access (User defined what can be used)
Delegation Protocol

Players include

Protected Resource (Our API)
Client (requesting application)
Resource Owner (the user)
Authorization Server

Here is the flow for OAuth 2.0

Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=OAuth_2.0&oldid=5242"