OAuth Service Flows - rramesh2000/OAuthService GitHub Wiki
These flows will help explain how to use OAuth Service and the specific API and endpoints to use for each of the calls.
** {{host}} - This is the OAuth Service
Granting third party access
Use third party flows when you want to allow access to third party applications and systems to resources. You will need the following to implement third party access.
- Preflows
- OAuth 2.0 flows
- Other Flows
Preflows
Register Resource Owners (Users)
Before resource owners can use OAuth Service to approve third parties they will need to be registered with the OAuth service. Use the Register User API to register users.
POST {{host}}/register/user
Register clients
Before clients can use the OAuth Service to approve third parties they will need to be registered with the OAuth service. Use the Register Client API to register clients.
POST {{host}}/register/client
OAuth 2.0 flows
Protocol Flow (https://tools.ietf.org/html/rfc6749#page-6)
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
(A)- Authorization Request
The client directs the resource owner (user) to OAuth Service where the resource owner is presented with a login screen. Resource owner enters his/her credentials and identifies themselves. The resource owner is then presented with an approval screen displaying the scope. The resource owner approves that request.
GET {{host}}/auth?Response_Type=code&Client_Id=A12D3F38-89BB-42DB-925C-7D78D864C7E3&Client_Secret=bZGfydENxGcU6xH97CNpgV7MI337wR07YAjG2uwjgIA=&Redirect_Uri=REDIRECT_URI&Scope=photos&State=1234zyx
(B)-- Authorization Grant
After the resource owner approves OAuth Service sends an authorization_code to the client using the Redirect_Uri from the previous step.
(C)-- Authorization Grant
The client will exchange the code for an access_Token and a refresh_token from OAuth Service. Use the Get AccessToken API.
POST {{host}}/token
(D)-- Access Token
OAuth Service sends the access_Token and a refresh_token to the client
(E)-- Access Token
The client uses the access_Token to retrieve a resource from the resource server.
Other Flows
Verify Token:
The resource server verifies the token provided by the client. Use the Verify Token API
POST {{host}}/api/token/verify
Refresh Token
The Access Token is meant to have a short time to live usually between 5 and 10 mins. The client uses the refresh token to periodically get new Access Tokens. Use Refresh Token API to get new Access and Refresh tokens.
POST {{host}}/token/refresh
Revocation
Occasionally you want to log the person out or stop the authorization that allows the client access to the resource. Use the Refresh Token revocation API to do this.
POST {{host}}/api/revoke