What is OAuth
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf
OAuth Roles
OAuth defines four roles:
- resource owner:
Could be you. An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
- resource server:
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
- client:
An application making protected resource requests on behalf of the resource owner and with its authorization. It could be a mobile app asking your permission to access your Facebook feeds, a REST client trying to access REST API, a web site [Stackoverflow e.g.] providing an alternative login option using Facebook account.
- authorization server:
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
OAuth Authorization Grant types
An authorization grant is a credential representing the resource owner’s authorization (to access its protected resources) used by the client to obtain an access token. The specification defines four grant types:
- authorization code
- implicit
- resource owner password credentials
- client crederce owner password credentials grant type.
1.Resource Server
2.Authorization Server
3.REST API
Sending Request to /oauth/token with grant_password and resource owners credentials will generate the access token and refresh tokens
http://localhost:8080/Securing_RESTful_API_with_OAuth/oauth/token?grant_type=password&username=User1&password=abc123
Use the token you received to access the resources
GET http://localhost:8080/Securing_RESTful_API_with_OAuth/user/?access_token=3525d0e4-d881-49e7-9f91-bcfd18259109