Vlad's blog

In programming veritas

OAuth2 flows: Authorization flow

leave a comment »

Authorization flow is usually used when Resourse Owner communicates with Web server which accesses another RESTful web service on behalf of the Resource Owner.
Authorization Flow-1
Client redirects Resource Owner to Authorization Server. In the url Client specifies client_id which is how Authorization Server identifies the Client. Assumed that Client was previously registered on the Authorization server. Also Client specifies redirect_uri which Authorization Server will use when Resource Owner authorization is complete.
Authorization Flow-2
Then Authorization Server asks user to authorize. Depending on particular implementation (Google, Twitter, Facebook) the login screen might look different.
Google Login Screen
The next step is Consent screen where Resource Owner will be prompted to allow application to perform certain actions.
Google consent screen
When authorization is complete the Authorization Server redirects Resource Owner back to the Client.
Authorization Flow-3
It passes code parameter but this is not a token yet. This code will be used by Client which will send a request to Authorization Server.
Authorization Flow-4
Authorization Server responds with access token, refresh token and expiration time in seconds.
Authorization Flow-5
So now Client can access Resource Server by using access token.
Authorization Flow-6
As you can see access token time life is very short. So when it is expired there are two options. Client can start this procedure over or use refresh token to request new access token.
So Authorization flow has the following features.

  • Used for server side applications
  • Resource owner never gets access token so it can not leak
  • If access token is expired it can be requested again using refresh token

Written by vsukhachev

November 15, 2015 at 3:28 am

Posted in Development

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: