Monday, May 28, 2018

Securing RESTful APIs using OAuth

What is OAuth

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf

 OAuth Roles

OAuth defines four roles:

  • resource owner:
Could be you. An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
  • resource server:
The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
  • client:
An application making protected resource requests on behalf of the resource owner and with its authorization. It could be a mobile app asking your permission to access your Facebook feeds, a REST client trying to access REST API, a web site [Stackoverflow e.g.] providing an alternative login option using Facebook account.
  • authorization server:
The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

OAuth Authorization Grant types


An authorization grant is a credential representing the resource owner’s authorization (to access its protected resources) used by the client to obtain an access token. The specification defines four grant types:

  • authorization code
  • implicit
  • resource owner password credentials
  • client crederce owner password credentials grant type. 

1.Resource Server


2.Authorization Server


3.REST API



Sending Request to /oauth/token with grant_password and resource owners credentials will generate the access token and refresh tokens

http://localhost:8080/Securing_RESTful_API_with_OAuth/oauth/token?grant_type=password&username=User1&password=abc123


Use the token you received to access the resources 
GET http://localhost:8080/Securing_RESTful_API_with_OAuth/user/?access_token=3525d0e4-d881-49e7-9f91-bcfd18259109



No comments:

Post a Comment