Reputation: 2566
OAuth2 pass authorization to another client
When implementing the OAuth2 protocol, is it possible to pass authorization to a second client, similar to proxy authentication in CAS?
The user is authenticates with a client web site, which has been granted authorization to access that user's account, that gives access (passing the token or whatever) to another client. Is that possible? Do I need to have the user authorize it separately? Can I pass a refresh token to the applet?
Upvotes: 3
Views: 287
Answers (1)
Reputation: 20920
The access token returned from an OAuth dance is sometimes called a "bearer token", which belies the fact that whoever or whatever has it is considered authenticated and authorized to access resources. You can, for example, get an access token using the JavaScript flow and pass it up to a server to make requests. Or vice versa. Access tokens are access. So in that way, access is portable. But access tokens generally expire after some amount of time.
The refresh token on the other hand does not expire, but is generally tied to a callback URL. Exchanging a refresh token for an access token generally requires the callback request to be sent to a whitelisted set of URLs. So you can't generally pass a refresh token around effectively. (Note: That doesn't mean you shouldn't be careful with it, it's still essentially a scoped password, and you definitely want to keep it private).
Upvotes: 1
Related Questions
- OAuth2 Password Grant Type with Client_Id & Client_Secret
- Does OAuth2 support cross-user delegation?
- OAuth2 Sending Client secret in authorization step
- OAuth2 Login (Not Authorization)
- Handling the OAuth2 Client Credentials flow
- OAuth2 User Credentials Grant
- OAuth2 Clients and Grants
- OAuth 2 client access and grant code
- How to authenticate the same user on multiple clients using OAuth2?
- OAuth2 User Credentials Grant Security