Reputation: 4026
OAuth 2.0 - first step details, can someone clarify?
In lots of descriptions the first step is that user tries to acces a resource on server something like
https://fhirblog.files.wordpress.com/2014/06/oauth2sequencediagram.png
Now i got a Rest API with severel endpoints:
GET /server/resource1
DELETE /server/resource1/{uuid}
GET /server/resource2
...
implementation looks something like this:
@DELETE
public Response deleteResource(
@ApiParam(value = "The id", required=true)
@PathParam("uuid") String uuid,
@Context SecurityContext securityContext)
throws NotFoundException {
Until now i have implemented an apikey which is passed by header into the api and a filter that verifies teh apikey.
Now i want to implement a full (three/two legged) oauth 2.0 flow. But i am now wondering about the first step.
So Question is:
Do i have to add a mechanism on each endpoint that verifies if the request has a token? and if not redirect the request to an auth endpoint?
(Also Can i send the Tokens in the HttpHeader or do the Tokens have to be in the Body of the Request?)
Or: Do i have to create just one endpoint that does the token stuff and in my other resource endpoints i only verify if the token is valid?
Upvotes: 0
Views: 61
Answers (1)
Reputation: 2488
Okay here are the explanations,
Do i have to add a mechanism on each endpoint that verifies if the request has a token? and if not redirect the request to an auth endpoint?
This question has two parts, so i will explain it separately for better understanding,
Do i have to add a mechanism on each endpoint that verifies if the request has a token?
Yes, in general the endpoints would be an APIs, so you need to setup middleware or interceptor or filters, to check to see does this endpoint need authorization if so check access token, if valid then proceed with request, if not return 401 Unauthorized as Http response, for example:
All request to /server/* must be accessed with access token, then you need to setup filter for those paths and check the access token,
if not redirect the request to an auth endpoint?
No, if access token is not provided or invalid or expired any case, you need to return Unauthorized http response like below,
Status Code:401
{"ok":false,"errors":[{"code":"unauthorized_request","message":"unauthroized request, access token either invalid / expired"}]}
here its json response, but any format works
So while the client make http request to access the endpoint, they need to pass the access token in HTTP Header like below,
Authorization: Bearer {access_token}
Do i have to create just one endpoint that does the token stuff and in my other resource endpoints i only verify if the token is valid?
Yes, you need to create an endpoint like /auth (typically called Auth Endpoints) to handle the authentication process, code exchange, refresh, revocation etc.
Then all other resource endpoints should just check token and process the request, and these endpoints wont take part in token management process
Upvotes: 1
Related Questions
- Understanding OAuth2 flow
- swagger oauth got it, so now what?
- swagger oauth security definition
- restful api authentication confusion with oauth2
- Understanding Oauth2
- Document Spring OAuth 2.0 APIs using Swagger
- Sanity checking an Oauth2 Implementation
- Understanding OAuth2.0 and REST API Security
- Rest with oauth2
- Understanding OAuth2 Client credentials flow