...
Speaking about the OAuth flow it is important to clearly define some of the common terms. The terms used throughout this document are defined below.
| Term | a.k.a | Definition | Example |
|---|---|---|---|
| Resource | The protected data or service. | Mary's Facebook Account. | |
Resource Owner | User | The entity that grants permission to use a Resource. Often also the user of the application. | Mary |
Resource Server | API Server | The server that hosts the Resource. | Facebook's Data Server |
Client | Application | The application that wants to use the Resource. | GreetingCardMaker |
| Authorization Server | Token Manager | The server responsible for authenticating the Resource Owner and determining their concent. The Resource Server trusts the Authorization Server and they are almost always run by the same organization. Often the Resource Server and Authorization Server are the same thing. | Facebook's OAuth Server |
| Client ID & Secret | App Username/Password | The credentials that a Client application uses to authenticate with the Authorization Server. These are usually generated when the Client is registered with the Authorization Server. |
|
| Username & Password | The credentials that the Resource Owner uses to authenticate with the Authorization Server. | Mary's Facebook username and password. | |
| OAuth Token | Bearer Token | A short lived token that is issued to the Client by the Authorization Server after authenticating and getting permission from the Resource Owner. | A short random string. |
| Authorization Grant | Grant Code | A representation of the Resource Owner's consent for the Resource to be released to a Client. The Authorization Grant is provided by the Client to the Authorization Server (along with the Client ID & Secret) in exchange for an OAuth Token. Each Authorization Grant is limited to a specific Client, Resource Owner and Scope. | A short random string. |
| Scope | A subset of the Resource. | Facebook Photo's, Contacts, Status etc. |
Authorization Code - Trusted Application
...
- The Client ID & Secret are compiled into the application.
- Users of the application are sent to the Authorization Server to provide their consent. The Client ID and requested Scope are encoded in the url.
- The Authorization Server returns a Authorization Grant to the Client.
- The Client gives they the Authorization Grant and Client ID & Secret to the Authorization Server.
- The Authorization Server returns a OAuth Token.
- The Client invokes api on the Resource Server, passing along the OAuth Token.
...