Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do /oauth/authorize and /oauth/token interact in Spring OAuth?

I am doing an in-depth study of Spring OAuth, and I found some conflicting information.

Specifically, this tutorial states that the /oauth/token endpoint handles the username and password before granting a refresh token to the client app. By contrast, the Spring OAuth Developer Guide mentions the /oauth/authorize and /oauth/token endpoints, but yet does not get specific about how they work.

Does the /oauth/authorize do 100% of the username/password/nOtherFactors check and then signal the /oauth/token endpoint to send a refresh token to the client, so that the client then sends the refresh token to the /oauth/token endpoint?

Or is all of it handled by the /oauth/token endpoint?

Is the relationship between /oauth/authorize and /oauth/token different for different grant types? How?

like image 337
CodeMed Avatar asked Apr 29 '16 18:04

CodeMed


People also ask

How does OAuth authentication work in spring boot?

Spring Security OAuth2 − Implements the OAUTH2 structure to enable the Authorization Server and Resource Server. Spring Security JWT − Generates the JWT Token for Web security. Spring Boot Starter JDBC − Accesses the database to ensure the user is available or not. Spring Boot Starter Web − Writes HTTP endpoints.

How does authorization work in OAuth?

OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.


1 Answers

Per the OAuth 2.0 specification the authorize and token endpoints have different purposes.

Authorization endpoint is where the resource owner (user) logs in and grants authorization to the client (ex: web application running in the browser or an app running on a mobile device). This is typically used in scenarios where the resource owner's user agent (ex: browser) is redirected to the identity server (authorization server) for authentication. The resource owner's user agent will have direct access to the access token.

Token endpoint is where the client (ex: Server side API or mobile app) calls to exchange the Authorization Code, Client Id and Client Secret for an access token. In this scenario, the user agent is provided with an Authorization code only, no direct access to the access token. The client is a trusted party with access to client Id and Client secret from the authorization server (That is why I mentioned Server side API as the client).

Please read this article that has even better explanation.

like image 99
Soma Yarlagadda Avatar answered Sep 19 '22 10:09

Soma Yarlagadda