oauth tutorial - OAuth Authenticated Requests - oauth2 tutorial - oauth authentication
What is authentication?
- Authentication in the context of a user accessing an application tells an application who the current user is and whether or not they're present.
- A full authentication protocol will probably also tell you a number of attributes about this user, such as a unique identifier, an email address, and what to call them when the application says "Good Morning".
- Authentication is all about the user and their presence with the application, and an internet-scale authentication protocol needs to be able to do this across network and security boundaries.
- The authenticated request can be used to get the authorization code token for accessing the owner resources in the system.
- The request made to the authorization endpoint results in the user authentication and provides clear credentials when sending a request to the authorization endpoint.
Learn OAuth - OAuth tutorial - OAuth Authentiation - OAuth examples - OAuth programs
Making Authenticated Requests:
- The end result of all the grant types is obtaining an access token.
- Now that you have an access token, you can make requests to the API. You can quickly make an API request using cURL as follows:
Learn OAuth - OAuth tutorial - OAuth Authenticated Request - OAuth examples - OAuth programs
- That's it! Make sure you always send requests over HTTPS and never ignore invalid certificates. HTTPS is the only thing protecting requests from being intercepted or modified.
The authenticated request contains the following parameters −
- It is a required parameter used to set the value as 'code' which is used for requesting the authorization code.
- If there is no 'response_ type' parameter in the authorization request, then the authorization server returns an error response.
- The authorization request may fail due to invalid or mismatch redirect URI or an invalid client identifier.
- It is a required parameter that identifies the client, which is assigned by the authorization server.
- This is unique to the authorization server.
- The authorization server may take any type of credentials by gathering its security requirements.
- The client application should not use more than one authentication method in each request.
- It is an optional parameter, which includes redirection URI with the authorization request.
- When the authorization request includes the redirection URI, it matches the value of the registered redirection URIs.
- It is an optional parameter that specifies the scope of the request.
- The authorization grant can be used as client credentials, when the authorization scope is restricted to control the protected resources of the client.
- The scope parameter should not include the resource owner information because they may communicate with the insecure channel or can be stored insecurely.
- It is an optional parameter. The state value can be used when redirecting the user agent back to the client by using the authorization server.
- If the authorization request includes state value, then it returns the exact value from the client.