OAuth 2.0 Concepts: Difference between revisions
Line 6: | Line 6: | ||
According to [https://tools.ietf.org/html/rfc6749 RFC 6749 - The OAuth 2.0 Authorization Framework], OAuth 2.0 is an '''authorization framework''' that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. | According to [https://tools.ietf.org/html/rfc6749 RFC 6749 - The OAuth 2.0 Authorization Framework], OAuth 2.0 is an '''authorization framework''' that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. | ||
Many materials refer to OAuth 2.0 as an '''authorization protocol'''. Other materials refer to it as an '''delegation protocol''', because offers means of letting someone who controls a resource to allow software application to access that resource on their behalf without impersonating them. | |||
The protocol works by allowing the application to requests authorization from the owner of the resource and receive a token it can use to get access to resource, without needing to impersonate the owner. | |||
=OAuth2 Primitives= | =OAuth2 Primitives= |
Revision as of 23:18, 15 May 2019
Internal
Overview
According to RFC 6749 - The OAuth 2.0 Authorization Framework, OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
Many materials refer to OAuth 2.0 as an authorization protocol. Other materials refer to it as an delegation protocol, because offers means of letting someone who controls a resource to allow software application to access that resource on their behalf without impersonating them.
The protocol works by allowing the application to requests authorization from the owner of the resource and receive a token it can use to get access to resource, without needing to impersonate the owner.
OAuth2 Primitives
Resource Owner
Protected Resource
Client
Authorization Server
OAuth2 Access Token
OAuth2 Grant Types
There are four OAuth2 grant types:
- Authorization Code Grant Type
- second
- third
- fourth
Authorization Code Grant Type
To Process
Identity. Identity Management.
Identity Federation and Single Sign-On are related concepts.
Single Sign-On (SSO) systems allow a single user authentication process across multiple IT systems and organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability.
User's presence in the system - means that the user identity is associated with the thread that is processing the user's request, and in a way, it is the user that "drives" the thread. The identity is associated with the thread in the form of a security context.
There are software agents that perform actions on behalf of the user, and this is where OAuth is relevant - a user can delegate in a standard and secure way the authority of performing certain actions. Even the software agent (the OAuth client) operates under a different identity, it can still perform action on behalf of a user that may not be even logged in anymore. An example of such identity is an OpenShift service account.
Authentication. The whole point of an authentication protocol is to tell whether the user is present in the system.
Identity Provider (IdP) and Relying Party (RP).
Authentication protocols, single sign-on, SAML.
Authorization.