Chapter 2. The OAuth dance


This chapter covers

  • An overview of the OAuth 2.0 protocol
  • The different components in an OAuth 2.0 system
  • How different components communicate with each other
  • What different components communicate to each other

By now, you have a decent overview of what the OAuth 2.0 protocol is and why it’s important. You also likely have an idea of how and where you might want to use the protocol. But what steps do you have to take to make an OAuth transaction? What do you end up with when you’re done with an OAuth transaction? How does this design make OAuth secure?

2.1. Overview of the OAuth 2.0 protocol: getting and using tokens

OAuth is a complex security protocol, with different components sending pieces of information to each other in a precise balance akin to a technological dance. But fundamentally, there are two major steps to an OAuth transaction: issuing a token and using a token. The token represents the access that’s been delegated to the client and it plays a central role in every part of OAuth 2.0. Whereas the details of each step can vary based on several factors, the canonical OAuth transaction consists of the following sequence of events:

2.2. Following an OAuth 2.0 authorization grant in detail

2.3. OAuth’s actors: clients, authorization servers, resource owners, - and protected resources

2.4. OAuth’s components: tokens, scopes, and authorization grants

2.5. Interactions between OAuth’s actors and components: back channel,- , front channel, and endpoints

2.6. Summary