Home Page Icon
Home Page
Table of Contents for
Getting Started with OAuth 2.0
Close
Getting Started with OAuth 2.0
by Ryan Boyd
Getting Started with OAuth 2.0
A Note Regarding Supplemental Files
Preface
Conventions Used in This Book
Using Code Examples
Safari® Books Online
How to Contact Us
Acknowledgments
1. Introduction
How OAuth Was Born
Why Developers Should Care About OAuth
Why Don’t These APIs Just Use Passwords for Authorization?
Terminology
Authentication
Federated Authentication
Authorization
Delegated Authorization
Roles
The Great Debate over Signatures
Mitigating Concerns with Bearer Tokens
Signing Your OAuth 2.0 Requests
Getting the key
Making API requests
Developer and Application Registration
Why Is Registration Necessary?
Client Profiles, Access Tokens, and Authorization Flows
Client Profiles
Access Tokens
Authorization Flows
2. Server-Side Web Application Flow
When Should the Authorization Code Flow Be Used?
Security Properties
User Experience
Step-by-Step
Step 1: Let the user know what you’re doing and request authorization
Error handling
Step 2: Exchange authorization code for an access token
Why both access tokens and refresh tokens?
Step 3: Call the API
Error handling
Step 4a: Refresh the access token
Step 4b: Obtaining a new access token
How Can Access Be Revoked?
3. Client-Side Web Applications Flow
When Should the Implicit Grant Flow Be Used?
Limitations of the Implicit Grant Flow
Security Properties
User Experience
Step-by-Step
Step 1: Let the user know what you’re doing and request authorization
Error handling
Step 2: Parsing the access token from the URL
Step 3: Call the API
Step 4: Refreshing the access token
How Can Access Be Revoked?
4. Resource Owner Password Flow
When Should the Resource Owner Password Flow Be Used?
Security Properties
User Experience
Step-by-Step
Step 1: Ask the user for their credentials
Step 2: Exchange the credentials for an access token
Step 3: Call the API
Step 4: Refresh the access token
5. Client Credentials Flow
When Should the Client Credentials Flow Be Used?
What APIs Support the Client Credentials Flow?
How Does the Client Authenticate?
Security Properties
Step-by-Step
Step 1: Exchange the application’s credentials for an access token
Step 2: Call the API
When the Access Token Expires
6. Getting Access to User Data from Mobile Apps
Why You Should Use OAuth for Native Mobile Apps
What Flow Should Be Used for Native Mobile Apps?
Do You Have a Mobile Backend Web Server for Your Application?
The (Ugly) Web Browser
Embedded WebView
System Web Browser
Enhanced Mobile App Authorization for Specific Providers
For Google
For Facebook
7. OpenID Connect Authentication
ID Token
Security Properties
Obtaining User Authorization
Check ID Endpoint
UserInfo Endpoint
Performance Improvements
Practical OpenID Connect
For Google
For Facebook
OpenID Connect Evolution
8. Tools and Libraries
Google’s OAuth 2.0 Playground
Google’s TokenInfo Endpoint
Apigee’s Console
Facebook’s Access Token Tool and Access Token Debugger
Libraries
Going Further
A. References
Specifications
Vendor Documentation
Mailing Lists
Misc
About the Author
Copyright
Search in book...
Toggle Font Controls
Playlists
Add To
Create new playlist
Name your new playlist
Playlist description (optional)
Cancel
Create playlist
Sign In
Email address
Password
Forgot Password?
Create account
Login
or
Continue with Facebook
Continue with Google
Sign Up
Full Name
Email address
Confirm Email Address
Password
Login
Create account
or
Continue with Facebook
Continue with Google
Prev
Previous Chapter
Cover
Next
Next Chapter
A Note Regarding Supplemental Files
Getting Started with OAuth 2.0
Ryan Boyd
Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo
Add Highlight
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click
here
login for view all page.
Day Mode
Cloud Mode
Night Mode
Reset