Reputation: 792
OAuth 2.0 with a single server
I have come to see that the OAuth 2.0 protocol calls for a "Web App Server" that has the APIs as well as a "OAuth 2" server that authenticates the user. Though can this be done on a single server or are there specific reasons it MUST be done on two separate servers?
Can the authentication be a login API call on the single web server that returns an access token itself or will this be a faulty manner of authenticating?
Upvotes: 2
Views: 1250
Answers (1)
Reputation: 53888
The "Web App Server" - or Resource Server in OAuth 2.0 terminology - and the "OAuth 2" server - or Authorization Server in OAuth 2.0 terminology - can certainly live on the same server. The concept is meant to separate the authentication of the user (Resource Owner) and the authorization of the caller (Client) from the application itself in to a separate service (Authorization Server) but whether that separate service lives on the same box is irrelevant assuming you control both.
The authentication can be a login API call that returns an access token. Examples of that are the so-called Resource Owner Password Credentials grant (https://www.rfc-editor.org/rfc/rfc6749#section-4.3) and the Client Credentials grant (https://www.rfc-editor.org/rfc/rfc6749#section-4.4).
Upvotes: 7
Related Questions
- Why Does OAuth v2 Have Both Access and Refresh Tokens?
- Google OAuth 2 authorization - Error: redirect_uri_mismatch
- How is OAuth 2 different from OAuth 1?
- JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference?
- Using Node.js as a simple web server
- What are the main differences between JWT and OAuth authentication?
- What's the difference between OpenID and OAuth?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
- SPA best practices for authentication and session management