Reputation: 2218
Oauth2 Flow , difference between Authorise and Authorisation Grant
I am using this library: https://github.com/manjeshpv/node-oauth2-server-implementation
From my understanding of Oauth2:
1)Generate a clientid and clientSecret
2)User use clientId and clientSecret to get a bearerToken
3)Authorisation server returns accessToken to users if valid clientId and clientSecret combination
4)User then use the accessToken to run http post/get api calls (within their scope)
In the POSTMAN examples given in the GITHUB, we have
I noticed Password Grant, Refresh Token ,Client Credential Grant and Authorisation Grant points to the same POST request with the difference in the body.
and the Authorise sample web service, which I assume is that user would have to click in order for the authorisation server to return an access code for user to call scope specific API urls, but somehow access code is needed too, which I'm confused.
and If I use Client Credential Grant (which I assume is to return an AccessToken using my clientId and clientSecret), then what's the point of the authorise webservice?
What would be the right flow for this library and webservices example?
Would really appreciate help in this, thanks!
Upvotes: 0
Views: 59
Answers (1)
Reputation: 2817
and the Authorise sample web service, which I assume is that user would have to click in order for the authorisation server to return an access code for user to call scope specific API urls, but somehow access code is needed too, which I'm confused.
Your terminology is a bit confused. Here is a probably most popular OAuth flow:
- Developer (you) registers OAuth client, receives
clientidandclientSecret - User opens some url like oauth.com/authorize, is shown a dialog asking to give some rights to developer's application. (Here clientId is used, but clientSecret is not required)
- If user agrees, authorization code is sent to developer's application (to
redirect_uridefined at step 1). This code is short-term and cannot be used to access user's data. - Developer's application makes POST request to OAuth server with authorization code,
clientIdandclientSecretand gets authorization token in exchange. This token can be used to access user's data.
and If I use Client Credential Grant (which I assume is to return an AccessToken using my clientId and clientSecret), then what's the point of the authorise webservice?
Token got by ClientCredentials grant identifies client, but not user. So I guess it is useless in your case.
Upvotes: 1
Related Questions
- [node oidc provider]: Authorization code flow
- Oauth2 and JWT difference
- Difference between the “Resource Owner Password Flow” and the “Implicit grant”
- OAuth2 Authorization Code Grant Flow Node.js mixed with Client-Side
- In OAuth 2.0, what is the difference between a grant and a flow?
- OAuth2 Password grant with node js
- What's the difference between passport and oauth?
- OAuth 2.0 Flow how it works node-oauth2-server
- Difference between client authentication and authorization grant in OAuth using JWT
- OAuth 2 - What is the difference between 'Username and Password Flow' vs 'Client Credential Flow'