adam's notes

Open Authorization (OAuth)

  • Many public clouds use APIs based on Representational State Transfer (REST)
    • A standardized, stateless architectural style used by web applications for communication and integration
    • rather than SOAP
    • called RESTful APIs
  • SOAP is a tightly specified protocol
  • REST is a looser architectural framework
    • allows the service provider more choice over implementation elements
    • better support for mobile apps
      • Compared to SOAP and SAML

Open authorization (OAuth) is a standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.

  • Authentication and authorization for a RESTful API are often implemented using OAuth protocol
  • designed to facilitate sharing of information (resources) within a user profile between sites

How it Works

  • user creates a password-protected account at an identity provider (IdP)
  • user can link that identity to an OAuth consumer site without giving the password to the consumer site
  • user (resource owner) can grant an OAuth client authorization to access some part of their account
    • client in this context is an app or consumer site
  • user account is hosted by one or more resource servers
    • is called an API server
      • because it hosts the functions that allow OAuth clients to access user attributes
  • authorization server processes authorization requests
    • single authorization server can manage multiple resource servers
    • resource and authorization server could be the same server instance
  • client app or service must be registered with the authorization server
    • client registers a redirect URL
      • is the endpoint that will process authorization tokens
    • Registration provides the client with an ID and a secret
      • ID can be publicly exposed
      • secret must be kept confidential between the client and the authorization server
  • When the client application requests authorization,
    • user approves the authorization server to grant the request using an appropriate method
    • OAuth supports several grant types—or flows—for use in different contexts
      • server to server
      • or mobile app to server
  • Depending on the flow type, the client will end up with an access token validated by the authorization server
  • client presents the access token to the resource server, which then accepts the request for the resource if the token is valid
  • uses the JSON Web Token (JWT) format for claims data
    • can be passed as Base64-encoded strings in URLs and HTTP headers
    • can be digitally signed for authentication and integrity

Graph View

Backlinks