- Login - it could be:
- A simple login page which accept username and password and verify them against the credential database
- Enterprise Single Sign-On (SSO) which verify credential against Active Directory
- Consent Server - which get the consent of resource owner to provide access to the client for the listed resources
- Token database - a technical database storing token values and attributes
Both login and consent happen in the Authorization Endpoint.
Endpoint names are not standard and can be named differrently
- grant_type could be Client Credential Authorization Code or Resource Owner Password Credentials
- code will be required for Authorization Code grant type which is created by Authorization Endpoint
- Implicit grant does not use the Token Endpoint
Token is like a subway ticket. Anyone who get the token can use it to access the resource. Client should secure the token.
- Access Token (AT) is used by the client to access the resource. Usually have expiry date e.g. 30 days
- Refresh Token (RT) is used by the client to get a new Access Token. Never be sent to the resource servers.
- Authorization Code (Code) is usually valid for a couple of minutes which is enough for the client to use to get Access token. Never be sent to the resource servers.
- Resource Owner Credential is used by only the resource owner and should never be given to anyone else
- Client Credential is the client id and client secret registered at the OAuth server. This is used by the client to get Access Token from the OAuth server via the token endpoint.
- Access Token is used by the client to get resource from the resource server.
- Refresh Token is used by the client to get a new Access Token from the OAuth server
- Authorization Code is used by the client to get an Access token
- Before clients can access the resources, they must be first registered at the OAuth Provider.
- Client must give Redirect URI and Required Scopes to the OAuth provider
- Once successfully registered, the client get the ClientID and ClientSecret