In Part 1 and Part2, we have been looking at the basics of identity (AuthN and AuthZ) and how SAML and OAuth work. Also, how OAuth 2.0 works in conjunction with OpenID Connect.
This week let’s see different grant types of OAUTH 2.0. There are four types
- Authorization code
- Implicit
- Resource owner password credentials.
- Resource owner client credentials.
Authorization code
Authorization code flow
- User accesses the Application.
- Application redirects the user to the Authorization server.
- User provides the credentials and gets authenticated . User also provides consent for the Application to access the protected resources (Like user profile, Email ID) . Authorization server redirects user to the application along with the Authorization code.
- The application calls the authorization server with the Authorization code.
- Authorization server provides the access token , refresh token (optionally) to the application.
Implicit code
- It is used for public clients with single page web application.
Implicit code flow
- User accesses the Application
- Application redirects the user to the Authorization server
- The user provides the credentials and gets authenticated. The user also provides consent for the Application.
- Authorization server redirects user to the application along with the access token.
This where it changes, there is no additional step of providing authorization code but directly provides the access token.
Resource owner password credential
Resource owner password credential flow
- As you can see , Application receives the user creds and uses it against the authorization server and gets the access token.
- I would not recommend this method as an intermediate application holds the user’s cred, making it an unsafe framework.
Resource owner client credential
Resource owner client credential Flow
- In this case, the Application access the authorization server with its other credentials.
- Authorization server returns the access token to the Application.
cloud-security.blog 
Leave a comment