OAuth - andrewkyllo-401-advanced-javascript/seattle-javascript-401d34 GitHub Wiki

OAUTH2.0

Open standard for access delegation
Gives users the ability to grant application access to services with giving the application their password
Grants application the ability to CRUD as yourself

Application spawns the "Login Using xxx" window asking for specific permissions
User agrees
Remove service contacts the application with a one-time-user code
The application calls back to a special address on the remote service to exchange that code for a token
Once the token has been granted the application will then be able to contact the remote service using that token to access information on behalf of the user
The token is the user

To grant the application permission you need to provide an tag that will take them to the services authorization page.
The tag should pass the following through a query string to the authorization server:
- response_type=code indicates that your server wants to receive an authorization code
- client_id=<your client id> tells the authorization server which app the user is granting access to
- redirect_uri=<your redirect uri> tells the auth server which server endpoint to redirect to
- scope=<list of scopes> tells the auth server what you want the user to give access to
- `state= a place where you can store info to pass to your server if you want

When the user grants access to the application the auth server will redirect to a provided redirect URI callback with a code.
You can exchange this code for an access token by making a post request to the auth server with the following information:
- grant_type=authorization_code
- code=<the code you received>
- redirect_uri=REDIRECT_URI must be the same as the redirect URI client provided
- client_id=<your client id> tells the authorization server which application is making the requests
- client_secret=<your client secret> authenticates that the application making the request is the application registered with the client_id