Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved


Chapter 13 OAuth Server : OAuth Flows
OAuth Flows
The OAuth server supports the following OAuth flows:
Authorization Code
In the authorization code flow, the owner of the data is the user who is using the application. The OAuth server authenticates the user and requests the user to grant the client access to the data. The client application does not have access to the user's credential and the scope of the data access is known to the user. The OAuth provider also authenticates the client using the client ID and secret before an access token is given to the client.
For details of authentication code flow, refer to section4.1 of RFC 6749, "Authorization Code Grant".
"The OAuth 2.0 Authorization Framework" found at the following location:
https://tools.ietf.org/html/draft-ietf-oauth-v2-31
The following is an example scenario of this flow:
A user uses an application developed by a third party developer that will access photos uploaded to an OAuth server.
The third party developer registers the application with the OAuth server.
The user uses the application to view the uploaded photos.
The application requests an access token using authentication flow before retrieving the photo.
Refer to the following APIs:
Authorization API
Token Request API
Token Validation API
Client Credential
The client does not need the credential of the user who uses the application. The client uses its own credential to get the data from the resource server. The OAuth server authenticates the client using the client ID and client secret of the client.
For details of client credential flow, refer to section 4.4 of RFC 6749, "Client Credentials Grant", "The OAuth 2.0 Authorization Framework" found at the following location:
https://tools.ietf.org/html/draft-ietf-oauth-v2-31
The following is an example scenario of this flow:
A user uses an application that provides some data that the client has access to.
The application requests an access token using client credential flow before retrieving the data.
Refer to the following APIs:
Token Request API
Token Validation API
Revoke Token API
Password Credential
In the password credential flow, the owner of the data is the user who is using the application. The difference between the password credential flow use case and authorization code flow use case is that the application has access to the user's credential. This use case usually apply to application design for mobile device where user credential is stored on the mobile device.
For details of password credential flow, refer to section 4.3 of RFC 6749, "Resource Owner Password Credentials Grant", "The OAuth 2.0 Authorization Framework" found at the following location:
https://tools.ietf.org/html/draft-ietf-oauth-v2-31
The following is an example scenario of this flow:
A user uses an application on a mobile device that accesses the photos uploaded to an OAuth server.
The user uses the application to view the uploaded photos.
The application requests an access token using password flow before retrieving the photo.
Refer to the following APIs:
Token Request API
Token Validation API
Revoke Token API
Copyright © Cloud Software Group, Inc. All Rights Reserved
Copyright © Cloud Software Group, Inc. All Rights Reserved