From the course: Web Security: OAuth and OpenID Connect (2019)
OAuth 2.0 fundamentals
From the course: Web Security: OAuth and OpenID Connect (2019)
OAuth 2.0 fundamentals
Now that we've drawn some boundaries around what OAuth is and isn't, let's get into the mechanics of how it actually operates. Earlier, I used the analogy of a hotel key card. Let's continue with that to lay out and describe the major components. First, you're the client, the front desk is the authorization server, the key card itself is the access token, and your room is a resource. But like any analogy, we left out a few parts to make it more easily understood. Let's go ahead and add those concepts back now. First, we have the aspect of scopes. A scope is a permission the client can request and be granted or denied. In our hotel example, the scopes available are your room, the pool, the executive lounge, and numerous other things. But just like any permission, just because the scope is available, doesn't mean you're allowed to have it. Next, when you're granted a set of scopes, you're issued an access token. That access token is the hotel key card that gives you access now for a set period. Next, we have the refresh token, and that gives you a new access token once the original expires. In terms of mechanics of OAuth, you take that refresh token back to the authorization server and request a new access token. And it can grant or deny that based on your permissions. The final aspect is how we request and receive that token in the first place. That's called a grant type, or a flow. There are four grant types defined in the base OAuth specification. There's Authorization Code, implicit, client credential, and resource owner password. And each is used in different context. We'll cover these each in greater detail. But generally, Authorization Code is used for back-end web apps. Implicit was previously for JavaScript or mobile apps, but was generally deprecated in favor of Authorization Code with PKCE. Next, client credential flow is used for microservices, or service accounts where there isn't a user involved. And finally, resource owner password flow. Well, that shouldn't really be used very often at all. Don't worry, we'll go into each of those in detail. But first, let's cover the endpoints that we have to understand to understand each of those.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.