Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does an OAuth2 (Bearer) token translate to an ACL

Tags:

oauth-2.0

I have been looking into OAuth2 lately and I think I understand the authorization process.

However, what I don't seem to understand is, once authorization has taken place and an access_token and a refresh_token have been established to make calls, how is the decision made based on the access_token if the request can or cannot access a specific resource?

I.e. a token is send to the server to request a photo. How does the logic on the server determines, based on the given token, that access to that particular photo is allowed or denied?

like image 502
Luke Avatar asked Aug 20 '13 03:08

Luke


People also ask

How does OAuth bearer token work?

How bearer token works? The Bearer Token is created for you by the Authentication server. When a user authenticates your application (client) the authentication server then goes and generates for you a Token. Bearer Tokens are the predominant type of access token used with OAuth 2.0.

What is an OAuth2 bearer token?

The most common way of accessing OAuth 2.0 APIs is using a “Bearer Token”. This is a single string which acts as the authentication of the API request, sent in an HTTP “Authorization” header. The string is meaningless to clients using it, and may be of varying lengths.

Is bearer token same as access token?

Access tokens are credentials used to access protected resources. Access tokens are used as bearer tokens. A bearer token means that the bearer (who holds the access token) can access authorized resources without further identification. Because of this, it is important that bearer tokens be protected.

What is difference between bearer token and OAuth2?

Bearer tokens are for OAuth2 authentication. A bearer token is an encoded value that generally contains the user ID, authenticated token and a timetamp. It is most commonly used in REST APIs. If the API supports OAuth2 then it'll use a bearer token.


2 Answers

The access_token is usually an opaque artifact. There's nothing intrinsic that associates it with a resource (e.g. a specific photo). When the authorization flow starts, you typically request a specific scope that defines the access you need. If the owner of the resource consents to this access, then the request succeeds. Users can revoke access too.

All this is app specific code. Each app defines what their scopes are and how they enforce the check.

You might want to explore Authorization Server as an example.

like image 77
Eugenio Pace Avatar answered Sep 28 '22 08:09

Eugenio Pace


The access token is actually an encrypted object, this object defines the scopes and may re-establish the authorization.

Imagine the service provider giving you an HMAC encrypted token which makes no sense to you, but the endpoint knows how to decrypt it. On decryption, it would have info like :

{"scope":"Photos", "userID":"3refefe"}

So, basically the module handling over the token to you encrypts this JSON (or any other format) object and gives you the encrypted token. When you hit the API endpoint, it sends token to the decryption logic and fetches this JSON object and hence knows what all you are authorized to do.

This object can contain any type of info and in any format depending upon the service provider. I have described how an OAuth provider works here.

This should explain the basics of a minimalist OAuth framework.

like image 23
divyanshm Avatar answered Sep 28 '22 10:09

divyanshm