-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathw4_3_OAuth
82 lines (70 loc) · 4.08 KB
/
w4_3_OAuth
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
OAuth and User Authentication
---------------------------------
OAuth providers -> Facebook, Google, Microsoft, Instagram, GitHub ,etc;
OAuth 1 and OAuth 2
--------------------
-> Authorization Protocols;
-> Authorization framework based on open standards for Internet users to log into third party websites/apps using their
Social Network accounts;
-> Facebook, Google, Twitter, Microsoft, Instagram, Github, DigitalOcean, etc;
-> OpenID is a related but complementary service;
-> OAuth 1 protocol
-------------------
- First evolved from Twitter (Blaine Cook)
- IETF RFC 5849
-> OAuth 2 protocol
--------------------
- Focuses on simplifying client development
- IETF RFC 6749
- Bearer token usage IETF RFC 6750;
OAuth 2 Roles
--------------------
* Resources owner: You, the user that authorize a client application to access their account;
* Client Application: Application (website/app) that wants access to the resource server to obtain information about you;
* Resource Server: Server hosting protected data (e.g., your personal information)
* Authorization Server: Server that issues an access token to the client appplication to request resource from the resource server;
OAuth 2 Tokens
---------------
-> The Access token is issued by the authorization server that is part of OAuth 2 service provider;
-> The client application approaches the OAuth 2 service provider upon the users authorization, Authorization server issues
token to client application;
-> Access token : allows access to user data by the client application;
* Has limited lifetime;
* Needs to be kept confidential;
* Scope: parameters used to limit the rights of the access token;
-> Refresh token : Used to refresh an expired access token;
Client Application Registration
--------------------------------
-> In order to access the OAuth service provider, every client application needs to register with the OAuth service provider,
through a registration process;
-> Register the client appllication on OAuth service provider, and obtain:
i. Client App Id
ii. Client Secret;
- After authorization
iii. Redirect URL: URLs for the client for receiving the authorization code and access token;
Authorization Code Grant Approach
-------------------------------------
-> This is one OAuth authorization service, and is used when the client application is a web server;
-> The client application approaches the server and the server provides a long-lived access token;
_____________ OAuth Service
| | Provider
| Resource | ___________ ________________
|Owner (User)|---|-(User----| 2. User authorizes the client app----->| |
|____________| | Agent) | | |
______________ | | | Authorization |
| |--|-(browser)|-1.--User authorization request-------->| Server |
| | |__________| | |
| Client |<----3. Authorization code sent to client app---------| |
| Application |-------4. Access token request----------------------->| |
|(Rest API |<-----5. Access token granted-------------------------|________________|
| Server) | ________________
| |--6. Resource(e.g. profile) request with access token->| Resource |
| |<-----7.Resource sent----------------------------------| Server |
|_____________| |________________|
After the 7 step process, the client appliaction will then issue a JWT tpken to the resource owner;
Then the resource owner can use the JWT token to access the REST API;
Passport-Facebook Module
-----------------------------
-> Passport strategy for authenticating with Facebook usin OAuth 2.0 API;
-> npm install passport-facebook --save
-> var FacebookStrategy = require('passport-facebook').Strategy;