Open Authorization (OAuth)
- is an open standard for token-based delegated authentication over the Internet
- allows an end user’s account information to be used by third-party services without exposing the user’s password
- is basically a way to separate the Authorization Process from the Access to the Resource and therefore limit the exposure of the credentials
OAuth Entities
Click here to expand...
Link to originalauthentication/authorization/delegation entities/actors:
Entity/Actor
Description
- Resource Owner (RO)
- End-User
- Principal
the entity that is in control of the data exposed by the API, typically an end-user
- Client
- Relying-Party (RP)
the mobile app, website, etc. that wants to access data on behalf of the Resource Owner
- Authorization/OAuth Server/Service (AS)
- Identity-Provider (IdP)
- OpenID Provider
- a combination or sometimes a separation of:
- Authentication Server - deals with authenticating the End-User
- Security Token Service (STS) or Token Endpoint - issues tokens (e.g. Access Tokens, Refresh Tokens, ID Tokens)
- Resource/UserInfo Server/Provider (RS)
- Service-Provider (SP)
the service/application/resource:
- that exposes the protected resource/API and requires authentication/authorization of any principal wishing to access it
- agrees to trust the Identity-Provider to authenticateClient
NOTE: This 1 of many Grant Flows (above portrays Implicit Flow of OAuth & OpenID Connect)
