WP4: Infrastructure
Space shortcuts
Page tree

Versions Compared

Old Version 12

changes.mady.by.user Dario Vischi

Saved on

compared with

New Version 13

changes.mady.by.user Dario Vischi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Depending on the use-case oAuth2 provides four authentication methods, or grant types, which are given in the following table. Hereby, an application, called client, can request an access token for a specific scope which is

MethodDescriptionParametersExample
Authorization CodeAn end-user authorizes a specific application,called client , for a specific set of resources. The application can then request the corresponding access token provided by the end-user.

scope: list of strings
code: grant's unlock code of the grant
client_id: client's ID
redirect_uri: client's URL of the client*

Request:
http://localhost:8002/oauth/token?grant_type=authorization_code&scope=read&code=1234&client_id=1234&redirect_uri=http://localhost:8002/ui

Response:
{"token_type": "Bearer", "version": "1.0.0", "access_token": "LLL7SFMWkE6BcNc6M4dXHQXJ3UINTz", "scope": "read", "expires_in": 86400, "refresh_token": "uC5FRcq1MsITDfMb1fQlPLQO7RhuxH"}'

Client CredentialsGiven, a client is owner of a set of resources it can request a corresponding access token itself.

scope: list of strings
client_id: client's ID
client_secret: client's authentication code

Request:
http://localhost:8002/oauth/token?grant_type=client_credentials&scope=read&client_id=1234&client_secret=abcd

Response:
{"access_token": "wCPvIbuZoVp589eIczfmkNI1a8i5Ym", "token_type": "Bearer", "version": "1.0.0", "expires_in": 86400, "scope": "read"}

Password

Clients are grouped into public and confidential clients. Hereby, a 'confidential' clients is allowed to request an access token in the name of an end-user.

scope: list of strings
client_id: client's ID
username: end-user's name
password: end-user's password

Request:
http://localhost:8002/oauth/token?grant_type=password&scope=read&client_id=1234&username=TestUser1&password=1234

Response:

{"token_type": "Bearer", "version": "1.0.0", "access_token": "zOJ5avH29S1gALoT2ogcjdpelR2HSF", "scope": "read", "expires_in": 86400, "refresh_token": "DGdSeoxPJDRFH4ZXzQwCJ6xZDX6F26"}
Refresh TokenAccess tokens expire after a certain period. To expand a valid access token a client can request a new access token using a refresh token obtained with the old one.

scope: list of strings
client_id: client's ID

refresh_token: valid refresh token

Request:
http://localhost:8002/oauth/token?grant_type=refresh_token&scope=read&client_id=1234&refresh_token=DGdSeoxPJDRFH4ZXzQwCJ6xZDX6F26

Response:
{"token_type": "Bearer", "version": "1.0.0", "access_token": "OWLwWDpL2QDWKAHN8qWC7eBwqjKjs9", "scope": "read", "expires_in": 86400, "refresh_token": "IAFzNvlB7bAcU3TUZpdJxxkLEf8Kbv"}

* The redirect_uri is validated by oAuth2 due open redirection vulnerabilities. (see previous section)

...