First lets go through some basis of OAuth 2.0.
•Limitations
before Oauth
–If
Apps store the user’s password then
the apps have full access to user’s account
–The
user’s password will be exposed in a case of compromised apps.
–Limited
option to revoke the access to apps i.e. the user may have to change the
password to restrict the apps access to their account
•To
address this limitation several services implemented similar
to Oauth,
however they were not compatible with each other. So, there was an expectation
to have an open standard that can be followed.
•Following
are some Token based frameworks
–Google
AuthSub
–Yahoo:
BBAuth(Browser
Based Auth)
•OAuth is an authorization protocol.
•OAuth
2.0 focuses on client developer simplicity while providing specific
authorization flows for web applications, desktop applications, mobile phones,
and living room devices.
•OAuth 2.0 is the industry-standard
protocol for authorization. OAuth 2.0 supersedes the work done on the original
OAuth protocol created in 2006. This specification and its extensions are being
developed within the IETF(Internet Engineering Task Force) OAuth Working Group.
•Oauth
provides password-less token exchange meaning only token will be used without
sharing the password
•Scope
: It is an option to limit the application’s access of a user account. There
can be more than one scope
•Resource owner
Resource owner has the capability to grant access to the protected resource. There are
Resource owner has the capability to grant access to the protected resource. There are
scenarios
where this entity is a person(i.e. end-user)
•Resource server
The
protected resource is hosted in this entity. The client will access the
protected resource in this entity by
using access tokens. This entity will accept the protected resource request if client has valid access token.
•Client
As
the name states this is the entity that request the protected resource for
resource owner. This is possible only after have its authorization.
The application could be running anywhere
like a desktop, server, mobile or any other device.
•Authorization server
This
entity provided the access token to the client who has successfully
authenticated and received
authorization.
No comments:
Post a Comment