OAuth is an authorization framework that allows applications to obtain limited access to user accounts on an HTTP service.
The problem.
How can the user grant an app privileges to access the resource server? Requesting the user login every request solves this, but it’s quite inefficient.
We want to login once, and have an Access Token that will keep working, but in a secure way.
E.G.
- I have a Spotify account. I am the Resource Owner.
- I am building an application in which everyone can add to my playlist with a GUI. My shared playlist app is the Client.
- Spotify allows the Client to authenticate the user and issues an access token. They host an Authorization Server.
- After obtaining the token, the Client use it in the request header to issue API calls to Spotify’s Resource Server.
Spotify’s OAuth Diagram.
Step 1. Getting Authorization Code.
In this request, redirect_uri tells the Authorization server what address to return to after the authorization is successful.
After user logs in, an authorization CODE is returned. The client will exchange this for access tokens.
The STATE field is used to prevent cross-site forgery attacks.
Step 2. Access and Refresh Token.
The client exchanges the CODE for access_token and refresh-token. Along with the tokens, the duration of validity is returned in expires_in.
Leave a Reply