Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is OAuth designed to have request token and access token?

In the OAuth protocol, a service consumer will ask a user to authorize a request token in the service provider domain, then exchanges the request token for a access token from the service provider.

I'm wondering why OAuth is designed to have two tokens in the protocol.

Why not just use one single token in this process? That is, the user would authorize the token, and the service consumer would retrieve info from the provider with the token.

like image 755
Morgan Cheng Avatar asked Aug 27 '10 13:08

Morgan Cheng


People also ask

Why does OAuth v2 have both access and refresh tokens?

This simplifies access token validation and makes it easier to scale and support multiple authorization servers. There is a window of time when an access token is valid, but authorization is revoked.

What is the purpose of OAuth token?

OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

Why do we need authorization code and access token?

The authorization code is a temporary code that the client will exchange for an access token. The code itself is obtained from the authorization server where the user gets a chance to see what the information the client is requesting, and approve or deny the request.

What is OAuth request token?

This is the first step in the OAuth 1.0a 3-legged OAuth flow, which can be used to generate a set of user Access Tokens. It is also the first step for Sign in with Twitter. A successful request to this endpoint allows an App to obtain an OAuth Request Token to request user authorization.


2 Answers

For usability and security reasons.

From the Beginner’s Guide to OAuth:

https://hueniverse.com/beginners-guide-to-oauth-part-iii-security-architecture-e9394f5263b5

... While mostly an artifact of how the OAuth specification evolved, the two-Token design offers some usability and security features which made it worthwhile to stay in the specification. OAuth operates on two channels: a front-channel which is used to engage the User and request authorization, and a back-channel used by the Consumer to directly interact with the Service Provider. By limiting the Access Token to the back-channel, the Token itself remains concealed from the User. This allows the Access Token to carry special meanings and to have a larger size than the front-channel Request Token which is exposed to the User when requesting authorization, and in some cases needs to be manually entered (mobile device or set-top box).

===

Note that this question is a dupe of

Why must we "change temporary credentials for token credentials" in OAuth?

If the explanation from the Beginner’s Guide isn't clear, then go read @npdoty's take on it .

like image 76
Bert F Avatar answered Oct 20 '22 10:10

Bert F


From The Official OAuth 1.0 Guide

The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.

An example use case is allowing printing service printer.example.com (the Consumer), to access private photos stored on photos.example.net (the Service Provider) without requiring Users to provide their photos.example.net credentials to printer.example.com.

OAuth does not require a specific user interface or interaction pattern, nor does it specify how Service Providers authenticate Users, making the protocol ideally suited for cases where authentication credentials are unavailable to the Consumer, such as with OpenID.

OAuth aims to unify the experience and implementation of delegated web service authentication into a single, community-driven protocol. OAuth builds on existing protocols and best practices that have been independently implemented by various websites. An open standard, supported by large and small providers alike, promotes a consistent and trusted experience for both application developers and the users of those applications.

To sum up what that said basically the user gives a username and password to for an OAuth request token. You give the service that wants to connect to something using OAuth the request token and they receive the access token. This makes it so that the service never sees/uses the username and password.

like image 34
Conceited Code Avatar answered Oct 20 '22 12:10

Conceited Code