Menu
I need to create a my own OAUTH Provider, to validate third party application requests, i do not want to use Google, Twitter, LinkedIn, Microsoft providers. I have to create my own provider to authenticate request and return an access token to the client. But all the help on the net is related to external providers(Google, LinkedIn,Twitter, Facebook..). Can anyone help me achieve in creating my own custom Provider?
987
OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization.
OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 framework. It allows third-party applications to verify the identity of the end-user and to obtain basic user profile information. OIDC uses JSON web tokens (JWTs), which you can obtain using flows conforming to the OAuth 2.0 specifications.
Configure OAuth consent & register your appComplete the app registration form, then click Save and Continue. If you're creating an app for use outside of your Google Workspace organization, click Add or Remove Scopes. Add and verify the authorization scopes required by your app, then click Save and Continue.
As Roland said if you get through the spec it pretty straight forward.
At a high level this is what you will need to do to support AuthCode grant pattern :
Assuming: Your application own the users.
When the client hits the authorize end point like below:
/authorize?response_type=code&client_id=<clientID>&state=xyz&redirect_uri=http://thirdparty.com
Sample callback here
https://thirdparty.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
Client will then call on the /token URI with authcode with something like below:
/token?grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http://thirdparty.com
Generate a token, store it against the clientID, UserId and respond back with the token. Something like below
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"token_type":"example",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"example_parameter":"example_value"
}
When the 3rd party access your services/resources validate the token against the client and userid and grant or deny access.
This is to get started but there can be a lot more customization that you can do with scope and other OAuth2 patterns.
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
