logo
down
shadow

Trusted Client OAuth Token Creation?


Trusted Client OAuth Token Creation?

By : user2950961
Date : November 17 2020, 11:58 AM
With these it helps The use case you describe fits the Client Credentials grant as standardized in the OAuth 2.0 specification here: https://tools.ietf.org/html/rfc6749#section-4.4
The user identifier could effectively be passed in as a scope value which allows for accessing that user's (Resource Owner) resources. This is what the spec calls resources under control "of another resource owner that have been previously arranged with the authorization server".
code :


Share : facebook icon twitter icon
OAuth access token and refresh token creation

OAuth access token and refresh token creation


By : Mike Ausloos
Date : March 29 2020, 07:55 AM
seems to work fine The authorisation/authentication server generates these values when you create an account with them (for instance when you create a developer account with Facebook or Google). If you are doing these parts yourself, they should be cryptographically secure pseudo-random numbers or letters. Remember that the client ID is usually publically visible, so choose a reasonably large set of alpha-numerics (I use 30 characters). The secret is private and can be harder to guess so I chose 30 digits with letters, numbers and symbols. These are not related to each other, it is just that one is public and the other isn't. The usual way this works is that there is a browser redirect to the auth server passing the client id in the URL (and redirect uri) and specifically NOT the user id and password. The whole point of OAuth2 is that the client system never sees the user name and password, only the auth server. After this redirect, the auth server verifies the client id, checks the username/password (for instance) and then returns to the redirect uri with a temporary code. This temporary code is passed back to the Auth server in order to obtain an access token. Since this call is made as a POST from the server, it also passes the client secret to verify that it really is the correct client system and not someone who stole the client id from somewhere else. At this point, the auth server will return an access token (and optional refresh token - you do not need to use them, I don't). If the client system wants to log the user in without them having to type in their username and password all the time, it can use a refresh token, if available, to call back onto the Auth server and if the Auth server is happy that the refresh token is still valid and any other business rules are correct, it can give you back another access token directly without the user being involved.
I recommend reading the OAuth2 spec here: OAuth2 Spec RFC6749. It can take a while but if you delete the bits you don't need and reduce the amount of data, there are plenty of useful examples in it.
oauth2 get access token via db by supplied client id/secret for trusted 3rd party client

oauth2 get access token via db by supplied client id/secret for trusted 3rd party client


By : Developer
Date : March 29 2020, 07:55 AM
I wish did fix the issue. All you did was take out a step for their convenience.
A lot of people would simply use an OAuth2 library they or someone else wrote and of course this wouldn't work because you don't have a standard OAuth2 system anymore.
OAuth 2.0 token handling. Is there a Server token and client token?

OAuth 2.0 token handling. Is there a Server token and client token?


By : Amrit Ojha
Date : March 29 2020, 07:55 AM
seems to work fine I am not sure what you mean by 'Token'.
In order to access any Google API you will first need to register your application on Google Developer console. You will then need to create Oauth2 credentials. Oauth2 credentials is were your application will request access from a user to access the data on their YouTube account.
How Google OAuth 2.0 Java library take care of Access Token! if Client ID, Secret and Refresh Token is provided.?

How Google OAuth 2.0 Java library take care of Access Token! if Client ID, Secret and Refresh Token is provided.?


By : Sudha Gowda
Date : March 29 2020, 07:55 AM
may help you . From the Credential API doc:
OAuth Client Credentials Reissue Access Token vs. Refresh Token

OAuth Client Credentials Reissue Access Token vs. Refresh Token


By : Dick King
Date : March 29 2020, 07:55 AM
help you fix your problem
The short and skinny is -- the client can act on its own behalf without involving a resource owner; just request a new access token as before.
shadow
Privacy Policy - Terms - Contact Us © ourworld-yourmove.org