Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth - What exactly is a resource owner? When is it not an end-user?

The term "resource owner" is defined in the OAuth v2.0 Specification, as "An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user."

My question is, when is a resource owner not an end-user? I would appreciate explanation through examples that could be real use cases. For example, if the protected resource is a Facebook user's photo, is the resource owner Facebook or the Facebook user who uploaded the photo? Also, why is the resource owner (that is also a person) be considered an end-user if that person is not even a user of the application that is implementing OAuth? And, if the Facebook user is the resource owner, then what role does Facebook play in this exchange?

like image 887
smartcaveman Avatar asked Jun 07 '11 17:06

smartcaveman


People also ask

What is the resource owner in OAuth?

OAuth Roles Resource Owner: The resource owner is the user who authorizes an application to access their account. The application's access to the user's account is limited to the scope of the authorization granted (e.g. read or write access) Client: The client is the application that wants to access the user's account.

What is a resource owner?

Resource owner. An entity capable of authorizing access to a protected resource. When the resource owner is a person, it is called an user .

What is a resource owner example?

Examples of Resource Ownership:Purchase of a drapery steam cleaner for the consumer to operate to meet an unfilled need of a custodial service company, creating a job for the consumer and an additional service for the employer to offer to existing customers.

Who does separate the role of client and resource owner in OAuth?

OAuth 1.0's consumer, service provider and user become client, authorization server, resource server and resource owner in OAuth 2.0. OAuth 1.0 does not explicitly separate the roles of resource server and authorization server.


2 Answers

Resource owner can be a machine, not just people. There are many cases where no humans are involved in the entire OAuth flow, especially in enterprise setups. At least, that's what I meant when I introduced the term in RFC 5849 (and later in OAuth 2.0).

like image 162
Eran Hammer Avatar answered Sep 19 '22 13:09

Eran Hammer


Consider the situation where a resource owner is a corporation, perhaps one with policy that enables / disables access to a resource.

Consider an example of art; let's say you want to make your domicile look better with a piece of art; there are several places you can go to (Costco, for example) where you can choose a piece of art, to have that printed on the medium of your choice in the size of your choice, and delivered to your home.

Here's the thing; Costco isn't the owner of the licensing rights for that piece of art; that's outside of the realm of their business. They sell stuff, they don't collect art. What they do is they negotiate with the content owner (owner of the license for the art) for the rights to use that art in a print, which they then create and deliver to you. You pay Costco for the artwork; Costco then pays the licensor a portion of their payment from you for the right to use the artwork.

This works as well in the situation where you already have a relationship with the resource owner; let's say you've negotiated and purchased the rights to some music, for example. You're not the owner of the music, in that you don't have the right to resell the music; but you do have the rights to listen to it (this is a standard DRM situation). Now let's say that you want to play that music through a website; you can make a request to the website for that music; the website can contact the content owner (licensor, really, but it's effectively the same) with your identification; the content owner can then decide whether or not to grant the website access on your part to the content, based upon your terms.

Hope that clears some things up.

like image 22
Paul Sonier Avatar answered Sep 21 '22 13:09

Paul Sonier