Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OAuth 2 is a protocol or a framework?

Tags:

frameworks

oauth

oauth-2.0

protocols

Actually, my question is in the title of the post itself. So, really, in RFC OAuth called framework, but in a lot of articles, it's called protocol. So what is the proper name and why?

As I know protocol is a set of rules - and it seems to be relevant in that case. Under the framework, I usually understand a set of some components (e.g. programming language classes) that would be helpful in some process (e.g. development).

Can somebody clarify it to me? Thanks a lot!

like image 595
nowiko Avatar asked Jan 28 '16 19:01

nowiko

2 Answers

From IETF site:

Memos in the Requests for Comments (RFC) document series contain technical and organizational notes about the Internet. They cover many aspects of computer networking, including protocols, procedures, programs, and concepts, as well as meeting notes, opinions, and sometimes humor.

For instance, RFC 791, published back in 1981, describes the Internet Protocol. It describes how it works, and provides pseudo-code, describing how the protocol should be implemented. It does not provide any code in the "framework" or "toolset" sense, and does not tell how an actual Internet router should be designed.

The same goes with RFC 6749 (OAuth 2) - the RFC describes the protocol and discusses how it should be implemented.

In OAuth's case RFC talks both about a protocol and a framework more or less as synonyms. The same goes on e.g. in oauth.net site, even on the front page. The name of the RFC itself is "The OAuth 2.0 Authorization Framework". So, semantically I think both "protocol" and "framework" are correct in this case.

But in practice you can just think about RFC as "protocol definition", and actual protocol implementations (that you can utilize) on different languages as "frameworks" in the meaning you described in the question.

like image 179
Sami Avatar answered Dec 06 '22 20:12

Sami

To get a good explanation about it, I think it worths to watch the follow video about OAuth 2.0 by Eran Hammer.

https://vimeo.com/52882780

Here, you can understand why the title of RFC 6749 was changed to Framework instead of Protocol. In few words, OAuth 2.0 isn't interoperable as detailed at section 1.8 from RFC 6749:

However, as a rich and highly extensible framework with many optional components, on its own, this specification is likely to produce a wide range of non-interoperable implementations.

I hope this better helps you understand.

like image 40
aeloy Avatar answered Dec 06 '22 20:12

aeloy
Sign in to Comment

Related questions

How to use OAuth with Forms auth
Where should I inject Bearer tokens into $http in AngularJS?
authorization code for Github API used in R
error: failed to write, failed to open stream, pecl install oauth on mac osx el capitan
How can we get the phone number with Google OAuth API and facebook API used for social login?
Keycloak Access Token vs UserInfo token?
Must be a top private domain
OAuth + Twitter on Android: Callback fails
Yahoo BOSS V2 authorization troubles
MVC OAUTH VS2012 template, where to enter the redirect_uri?
ASP.NET Identity (with IdentityServer4) get external resource oauth access token
OAuth Simple Service Provider
Not getting refresh token in YouTube OAuth
OAuth1.0 header in Node.js
Can I avoid baking my Twitter API consumer secret into my iPhone app binary?
Why is my Twitter app returning a port error?
No refresh_token in SalesForce OAuth Response
Implementing OAuth 1.0 in an iOS app
Use External Access Token or Local Access Token
Does OAuth 2.0 always require a browser in the flow

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!