Credential Password Flow.

In a world dominated by social media, it's hard not to be tempted to install a client application that allows you to access limited resources on another server.

For example, you could use a web app (say, from the New York Times) to import interesting articles into your Facebook or Twitter. Or you could use the Quora iPhone app, which allows users to access your news board on Facebook or Google+.

It can be customized based on your profile data: add/invite users who are on your friends list to Quora. The question is, how do these apps access your Facebook, Twitter or Google+ account, and especially your sensitive information?

Before an application can do this, it must provide some form of authentication and authorization grants to server resources.

Introduction to OAuth 2.0

This is where OAuth comes into play, which is a remote access delegation/authorization framework that can be used without the need for additional password sharing. For this reason, OAuth is often called valet keychain from the Internet.

It can be thought of as a special key that allows access to a limited set of functions for a certain period of time, while giving full control to the application.

Just as a valet is allowed to park his car at a restaurant, but he is not allowed to drive it around the city, use the built-in mobile phone or other functions.

However, OAuth is not based on any completely new technology, but cleverly uses a combination of standard, long-established protocols.

It's also worth noting that OAuth is not just limited to social media - it provides a formalized, reliable way to share information between different types of applications that provide limited access to its functions.

OAuth 2.0 has a completely new ideology and is backward compatible with previous versions of applications. Before explaining what its advantages are, I would first like to look at the definitions of some of the concepts and functions that OAuth2.0 operates on:

• Owner resource: An application that is capable of providing access to a protected resource. Typically end users;
• Client: An application that makes requests to a protected resource on behalf of its owner and with his permission. These can be server, mobile or desktop applications;
• Resource server: a protected resource server capable of accepting and responding to requests for the resource;
• Authorization on the server: the server issues grants/access tokens to the client after successful authentication with the owner resource and receiving permission from it;
• Access token: Access credential tokens that a client provides to a resource server to be able to use protected resources. Typically this is a string of parameters that define access boundaries, session duration and other attributes. It may also contain data for authorization in one form or another;
• Token update: Although not provided by default, access tokens should ideally have an expiration (session) duration, which can range from a few minutes to a few hours. Once the access token has expired, the client can request the server to authorize and issue a new access token using a token refresh.

What was the problem with OAuth 1.0?

The main drawback of OAuth 1.0 was that it was too complex.

In fact, there were no major problems! Twitter still works fine with OAuth 1.0 and I just added support version 2.0. OAuth 1.0 was a well-thought-out version of the framework that provided reliable communications classified information, and this made it possible to exchange sensitive information without an SSL connection.

The reason why the development of the update was necessary is mainly due to the complexity with which the version was associated. Below are some areas where OAuth 1.0 did not meet all modern requirements:

• Signature of each request: Having clients that generated signatures for each application request and verified each request on the server. This was a major blow to developers who had to parse, code and sort parameters before submitting a request.

  OAuth 2.0 overcomes this complexity. Simply sending tokens over SSL and solving this problem at the network level. OAuth 2.0 does not require any signatures;

• Built-in Application Redirection: With the development of built-in browser applications for mobile devices OAuth 1.0 web flows were simply ineffective.

  So, for them it is mandatory to use such agents as the Internet browser itself. In OAuth 2.0, flows were reoriented specifically to work with embedded applications;

• Clear division of roles: OAuth 2.0 provides much-needed separation of roles for the authorization server, authentication and client authorization, through which the resource server can process application requests to grant access to private resources.

OAuth 2.0 in detail

Before the protocol is initialized, the client must register with the authorization server, providing information about the client type, the redirect URL (where it should be redirected to for authorization after the resource server grants it or denies access), and any other information required server.

In return, it receives a client identifier (client_id) and secret code client (client_secret). This process is called client registration. After registration, the client can interact with the server through one of the following flows.

Possible OAuth flows

OAuth 2.0 adds about five new flows to the table, giving developers flexibility in implementing solutions. They can use any of them, depending on the type of client involved in the data exchange process:

• User-agent flow: Typically suitable for clients implemented in user agent applications (such as clients running inside a web browser shell) using scripting languages ​​such as JavaScript and others.

  Mainly used by embedded applications for mobile devices or operating systems. As an authorization user agent, it uses a built-in or external browser that supports Implicit Grant authorization;

• Web server thread: Ensures the use of the authorization code grant. It is a redirect-based flow that requires interaction with an end-user agent.

  Thus, this flow is suitable for clients that are part of applications running on a server, which are typically accessed through a web browser;

• Flow of usernames and passwords: Used only when there is a high degree of trust between the client and the owner resource, while other threads are not able to solve the task. It involves transferring the authority of the resource owner to the client.

  An example of a client for this type of interaction would be a device operating system or an application with extensive access rights. It can also be used to migrate existing clients via HTTP protocol or Digest Authentication schemes in OAuth by converting recorded credentials into an access token;

• Approval flow: Your client can issue an assertion, such as a SAML assertion, in return for the provided access token;
• Client Identity Flow: OAuth is used primarily for delegated access, but there are cases where the client is also the owner of the resource or has already been granted access rights beyond the normal OAuth flows. This simply involves exchanging the provided client credentials for an access token.

A detailed discussion of each of the above threads is beyond the scope of this article, and I would encourage you to get more detailed information For these flows, read the specifications.

But to give you more background knowledge to learn them, let's take a deeper look at one of the most commonly used threads: the web server thread.

Web server thread

Because this flow uses redirects, the client must be able to interact with the user agent of the resource owner (which in most cases is a web browser) and is therefore suitable for working with web applications.

The diagram below generally shows how an end user (or resource owner) uses a client application (in this case based on a server application) to authenticate and authorize the server in order to gain access to protected resources.

Client Authentication and Authorization

The client, on behalf of the resource owner, initiates a flow by redirecting to the authorization endpoint, using: the response_type parameter as a code; client ID, which was obtained during the client registration process; Redirect URL; requested amount of authority (optional) and current status (if required).

To get a better idea of ​​how the whole process works, the screenshot below graphically represents what processing a standard request/response would look like:

Through the web interface, the resource owner is typically presented with the following panel, where he can verify that all permissions have been obtained by the client application and it can use private resources on behalf of their owner.
If the client has received resource owner access grants, the authorization server redirects the user agent back to the client using the redirection parameters that were previously provided, along with the authorization code.

As shown in the picture below:

Exchange authorization code for token

The client then proceeds to the next stage and sends the authorization code received in the previous stage along with the redirect URL, the client ID, the secret code received during the client registration process, and the grant_type parameter, which should be set to authorization_code .

The server then checks the authorization code and redirect URL, just like in the previous step. If the verification is successful, the server sends a response along with an access token and, optionally, an updated token.
A request to gain access to private resources using access tokens.

The client can now use applications provided by the server and also make requests to use private resources.

In this case, an access token is included in the Authorization header of the request. An example of a CURL request to receive data from the Google Blogger API into a blog, taking into account the identifier, can be the following code:

$ curl https://www.googleapis.com/blogger/v3/blogs/5223788876950011016 -H "Authorization: OAuth ya29.AHES6ZRTj1GNxAby81Es-p_YPWWNBAFRvBYVsYj2HZJfJHU"

Note that the access token has been added as the Authorization header in the request and is also highlighted single quotes, since the token may contain special characters.

Keep in mind that access token allocation is only required for two-way communication. As a result, the request is sent:

Then the resource server checks the transmitted data (access token) and, if the check is successful, sends the requested information.
These examples illustrate how the OAuth2.0 Playground works. This is how this version interacts with Google, as a rule.

Interaction may occur slightly differently when accessing other services (for example, Facebook or Salesforce), which is associated with problems of poor compatibility of end solutions, which we will discuss a little later.

Renewing an Access Token

Although not provided by default, access tokens typically have a limited expiration date. Therefore, when the token's validity period has expired, the client sends a request to the authorization server to refresh the token.

It is accompanied by a client ID and secret code, as well as a grant_type parameter as a refresh_token.

In response, the authorization server sends a packet with the new token value.
Although there is a mechanism for revoking a renewed token, it is typically stored forever and therefore must be protected, just like all sensitive data.

So what's the problem with OAuth 2.0?

Good (positive point).

Judging by the speed at which OAuth 2.0 was released, it is certainly a step up from its predecessor. Members of the developer community have been known to have some difficulty implementing version 1.0. OAuth 2.0 introduces several new types of grants that can be used to implement various user tasks associated with embedded applications, but the main advantage of this version of the framework is its simplicity compared to version 1.0.

OAuth 2 is an authorization framework that allows applications to have limited access to user accounts on HTTP services such as Facebook, GitHub and DigitalOcean. It works by delegating user authentication to the service that hosts the user's account, allowing a third-party application to access the user's account. OAuth 2 works on the web, desktop and mobile applications.

This article is intended for application developers and provides an overview of roles, authorization types, and common use cases for OAuth 2.

Let's start with OAuth roles!

OAuth roles

OAuth defines four roles:

• Resource owner
• Client
• Resource Server
• Authorization server

Resource owner: User

The owner of the resource is user, which authorizes application to access your account. An application's access to a user account is limited to the scope of the granted authorization rights (for example, read or write access).

Resource/Authorization Server: API

The resource server directly stores the protected data of user accounts, and the authorization server verifies the authenticity of the information provided user, and then creates authorization tokens for applications, with the help of which the application will access user data.

From the point of view of the application developer, the service API simultaneously performs the role of a resource server and the role of an authorization server. Further we will consider these two roles as one, and call it Service or API.

Client: Application

The client is application who wants to access the account user. Before access can be made, the application must be authorized by the user, and the authorization must be approved by the API.

Now that we have an idea of ​​the roles used in OAuth, let's look at a diagram of how they interact with each other.

Consider the description of the sequence of steps in this diagram:

1. Application requests from user authorization to access the resource server.
2. If user authorizes the request, application receives an authorization grant.
3. Application requests an authorization token from authorization server(API) by providing information about itself and authorization permission from the user.
4. If the application is authenticated and the authorization permission is valid, authorization server(API) creates an access token for the application. The authorization process is completed.
5. Application requests a resource from resource server(API), while providing an access token for authentication.
6. If the token is valid, resource server(API) provides the requested resource application.

The actual steps in the process described may vary depending on the type of authorization permission used, but in general the process will look like that described. Next, we'll look at the different types of authorization permissions.

Application registration

Before you start using OAuth in your application, you need to register your application with the service. This is done by registering in the “developer” or “API” section of the service’s website, where you need to provide the following information (possibly including some details about your application):

• Application name
• Application website
• Redirect URL or callback URL

Redirect URL is the URL to which the service will redirect the user after authorization (or authorization refusal) of your application.

Client ID and Client Secret

After registering the application, the service will create client credentials - a client ID and a client secret. The client ID is a publicly accessible string that is used by the service API to identify the application and is also used to create authorization URLs for users. The client secret is used to authenticate the identity of the application to the service API when the application requests access to the user's account. The client secret should only be known to the application and the API.

Authorization permission

IN abstract protocol description The first four steps above cover the issues of creating an authorization permission and an access token. The type of authorization permission depends on the authorization request method used by the application, as well as what permission types are supported by the API. OAuth 2 defines four different types, each of which is useful in certain situations:

• Authorization Code: Used with server-side applications.
• Implicit: Used by mobile or web applications (applications running on the user's device).
• Resource Owner Password Credentials: Used by trusted applications, such as applications that are part of the service itself.
• Client Credentials: Used when the application accesses the API.

Authorization permission type: Authorization code

Authorization code is one of the most common types of authorization permission because it is well suited for server applications , where is the application source code and client secret not accessible to outsiders. The process in this case is based on redirection, which means that the application must be able to interact with user agent(user-agent), for example, by a web browser, and receive API authorization codes redirected through the user agent.

Let's describe the process in the diagram:

Step 1: Link with authorization code

• https://cloud.?response_type=code&client_id=CLIENT_ID &redirect_uri=CALLBACK_URL &scope=read

• : API authorization endpoint.
• client_id=CLIENT_ID: Application client ID (using this ID, the API understands which application is requesting access).
• redirect_uri=CALLBACK_URL: URL to which the service will redirect the user agent (browser) after issuing an authorization code.
• response_type=code: Indicates that the application is requesting access using an authorization code.
• scope=read: sets the application access level (in this case, read access).

Step 3: The application receives an authorization code

If the user selects “Authorize the application”, the service redirects the user agent (browser) to the redirect URL that was specified during the client registration stage (along with authorization code). The link will look similar (in this example the application is called “dropletbook.com”):

• https://dropletbook.com/callback?code=AUTHORIZATION_CODE

Step 4: The application requests an access token

The application requests an access token from the API by sending an authorization code and authentication information (including client secret) service. Below is an example of a POST request to receive a DigitalOcean token:

• https://cloud.?client_id=CLIENT_ID &client_secret=CLIENT_SECRET &grant_type=authorization_code&code=AUTHORIZATION_CODE &redirect_uri=CALLBACK_URL

Step 5: The application receives an access token

• ("access_token":"ACCESS_TOKEN ","token_type":"bearer","expires_in":2592000,"refresh_token":"REFRESH_TOKEN ","scope":"read","uid":100101,"info":( "name":"Mark E. Mark","email":" [email protected]"}}

The application is now authorized! It can use the token to access the user account through the service API with specified access restrictions until the token expires or the token is revoked. If an access token refresh token has been created, it can be used to obtain new access tokens when the old token expires.

Authorization Permission Type: Implicit

The implicit authorization permission type is used by mobile and web applications (applications that run in a web browser) where privacy client secret cannot be guaranteed. The implicit permission type is also based on user agent redirection, where the access token is passed to the user agent to be passed on to the application. This in turn makes the token accessible to the user and other applications on the user's device. Also, this type of authorization permission does not authenticate the identity of the application, and the process itself relies on the redirect URL (previously registered with the service).

The process goes like this: the application asks the user to authorize itself, then the authorization server passes an access token to the user agent, which passes the token to the application. Next we will describe the process in detail.

Step 1: Implicit Authorization Link

With an implicit authorization permission type, the user is provided with a link that requests a token from the API. This link looks almost the same as the link for the previous method (with an authorization code), except that it asks token instead of code (note the response type“token”):

• https://cloud.?response_type=token&client_id=CLIENT_ID &redirect_uri=CALLBACK_URL &scope=read

Step 2: User authorizes the application

When a user clicks on a link, they must first log in to verify their identity (if they are not already logged in, of course). After this, the service will prompt the user to authorize or deny authorization to the application to access the user account. An example of such a dialogue is presented below:

Step 3: The user agent obtains an access token from the redirect URI

• https://dropletbook.com/callback#token=ACCESS_TOKEN

Step 4: The user agent follows the redirect URI

The user agent follows the redirect URI while storing the access token.

Step 5: The application runs the access token retrieval script

The application returns a web page that contains a script to extract the access token from the full redirect URI stored by the user agent.

Step 6: The access token is passed to the application

The user agent runs the access token extraction script and then passes the extracted token to the application.

The application is now authorized! It can use the token to access the user account through the service API with specified access restrictions until the token expires or the token is revoked.

Authorization permission type: resource owner credentials

With this type of authorization permission, the user directly provides the application with his authorization data in the service (username and password). The application, in turn, uses the received user credentials to obtain an access token from the service. This type of authorization permission should only be used when no other options are available. In addition, this type of permission should only be used when the application is trusted by the user (for example, it is part of the service itself, or the user's operating system).

Process with resource owner credentials

After the user provides their credentials to the application, the application will request an access token from the authorization server. An example POST request might look like this:

• https://oauth.example.com/token?grant_type=password&username=USERNAME &password=PASSWORD &client_id=CLIENT_ID

Attention: DigitalOcean does not currently support the authorization permission type using resource owner credentials, so the link above points to an imaginary authorization server “oauth.example.com”.

Authorization permission type: Client credentials

The client credentials authorization permission type allows an application to access its own service account. This can be useful, for example, when an application wants to update its own service registration information or redirect URI, or access other information stored in the application's service account through the service API.

Client Credential Process

An application requests an access token by sending its credentials, its client ID, and its client secret to the authorization server. An example POST request might look like this:

• https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID &client_secret=CLIENT_SECRET

Attention: DigitalOcean does not currently support the client credentials authorization permission type, so the link above points to an imaginary authorization server “oauth.example.com”.

Example of using an access token

Once an application receives an access token, it can use that token to access the user account through the service's API with specified access restrictions until the token expires or the token is revoked.

Below is an example of an API request using curl. Note that it contains an access token:

• curl -X POST -H "Authorization: Bearer ACCESS_TOKEN "" https://api.site/v2/$OBJECT "

If the access token is valid, the API will process the received request. If the access token has expired or the token is invalid, the API will return an “invalid_request” error.

Access Token Refresh

Once an access token expires, all API requests using it will return an “Invalid Token Error”. If, when creating an access token, a refresh token was also created, the latter can be used to obtain a new access token from the authorization server.

Below is an example of a POST request using a token to refresh an access token to obtain a new access token:

• https://cloud.?grant_type=refresh_token&client_id=CLIENT_ID &client_secret=CLIENT_SECRET &refresh_token=REFRESH_TOKEN

Conclusion

This concludes our overview of OAuth 2. You now have a basic understanding of how OAuth 2 works and when and how to use existing authorization permission types.

If you want to learn more about OAuth 2, we recommend checking out the following articles.

​Caring about its customers, the Invola service team implemented a direct connection to mail using OAuth 2.0 technology.

In this article we will tell you what it is, how it works and how it affects the security of user data.
We will omit a number of technical points, conveying the essence of the technology in a language that is simple and understandable to ordinary users.

Regular users of the service know how it was sometimes It’s inconvenient to use a duplicate email, often forgetting to send another letter to him. We received letters asking us to reconsider the algorithm for receiving invoices and commercial ones in favor of direct connection to mail.

After a couple of weeks of fruitful work by the programmer and security specialist authorization algorithm implemented and now is the main connection method clients to service.

What is OAuth?

Speaking in dry technical language, this is an authorization protocol that allows you to grant one service (in this case Invola) rights to access user resources on another service (access to mail).

The user has more reason to trust the application because the user can be sure that unauthorized access access to his personal data is impossible. Without having the user's login and password, the application will be able to perform only those actions with data which the user has allowed, and no others.

To put it simply, we can say this: the Invola service connects to your mail to receive invoices and commercial offers, without requiring a login and password, but requesting the right to access. If you confirm, the application receives access until it is revoked by the user himself, or as long as the application exists and is active.

In communication between Invola and mail server an access token is used (step 4-5), which automatically expires after an hour and is updated as needed (automatically, without user intervention, software Invola).

Now let's talk about security and why OAuth authorization is preferable to login/password authentication.

When you provide any service with a login and password to access your account (mail.ru, gmail.com), you are actually providing a password for the entire account(in this way you can access, for example, a disk, photo albums and other personal data).

Granting access via OAuth you yourself control which resources you access account you give access. Let's look at an example of the rights requested when connecting to Invola:

"View and manage mail" - for automatic receipt of invoices and CP, " view address" – to get the address e-mail box, "view profile" – to obtain a username (required at the registration stage).

Unfortunately, not all mail servers(including corporate) support authorization by technology OAuth, in particular the popular service Yandex.Mail. If your mail is on Yandex, you can currently connect to our service only using your login password.

A little about security.

We understand very well how critical the leak of confidential data or unauthorized access to customer data is for business, financial transactions, personal correspondence. Data security is one of the main priorities of our work.

Access tokens, as well as passwords for accessing mail, are stored on a secure dedicated database server using a cryptographic scheme based on dynamic keys.

As a result, it is worth noting that our employees do not have access to the mail servers and correspondence of our users under any circumstances.

All communications between the user and the service, as well as between the service and the mail server carried out over a secure SSL channel, in other words, all transmitted data in both directions is encrypted with a strong cryptographic algorithm.

If you have a business and send a lot of invoices and proposals to your clients, then you simply must try our system. Invola sends automatic alerts, if there was no response to the invoice, and also monitors the reaction of your customers to the invoices (expensive, long delivery time, etc.). As a result you get an increase in the share of paid bills, and also have the opportunity to collect statistics on the performance of your managers, common reasons failures.

|

OAuth 2 is an authorization protocol that gives applications limited HTTP access to user accounts. It passes user authentication to the service that hosts the accounts and authorizes third party applications and gives them access to the user account. OAuth 2 provides authorization for web applications and mobile devices.

This guide will introduce you to OAuth 2 roles, authorization types, flows, and use cases for OAuth 2.

OAuth roles

There are four roles in OAuth:

1. Resource owner
2. Client
3. Resource Server
4. Authorization server

Let's look at each role in more detail.

Resource owner: user

The resource owner is the user who authenticates to the application to gain access to their account.

The application restricts access to the user account using permissions (that is, the rights to perform a particular action: read, write, etc.).

Resource and authorization server: API

The resource server stores secure user accounts, and the authorization server verifies the user's credentials and then issues application access tokens.

From the application developer's point of view, the service API performs the roles of a resource server and an authorization server. In the following, we will refer to these roles as a service or an API.

Client: application

A client is an application that wants to access a user's account. Before it can do this, the user must be authorized in the application, and the API must confirm authorization.

Protocol streams

OAuth roles interact with each other as follows:

• The application requests user authorization to gain access to service resources.
• If the user is authorized at the request of the application, the application receives permissions.
• The application requests an access token from the authorization server (API).
• If the application is authenticated and its credentials are valid, the authorization server (API) issues it an access token. Authorization is complete.
• The application requests a resource from the resource server (API) and provides an access token for authentication.
• If the access token is valid, the resource server (API) serves the resources for the application.

Application registration

Before you can use OAuth in an application, you need to register the application. This is done through the registration form in the Developer or API section of the service website, where you need to provide the following information:

• Application name;
• Application website;
• Callback URL or redirect URI (this is where the service will redirect the user after he has passed (or failed) authorization; this part of the application will handle authorization codes or access tokens).

Client ID and secret key

After registering the application, the service will provide you with application credentials, which can be found in the client identifier and client secret fields. Client ID is a public string that is used by the service API to identify the application; it is also used to create authorization URLs. Client Secret allows the service API to authenticate an application when it requests access to a user account. This sensitive data is stored between the application and the API.

Authorization Permissions

Authorization permissions depend on the method the application uses to request authorization, as well as the types of permissions supported by the API. OAuth 2 defines four types of permissions, each of which is useful in different cases:

1. Verification Code: Used in server side applications.
2. Implicit access: Used in web and mobile applications (applications that run on the user's device).
3. Providing the client with a password: Used in applications that are known to be secure (for example, applications owned by a service).
4. Client privileges: access to the application API.

Verification code

Verification code is the most common type of authority, optimized for server-side applications where the source code is closed and the Client Secret is not accessible to outsiders. This flow is redirect-based, which means that the application must be able to interact with the user agent (i.e. the user's web browser) and receive API authorization codes that are routed through the user agent.

The confirmation code stream looks like this:

1. The user receives a link to a confirmation code.
2. The user is authorized. By clicking on the link, the user confirms the authenticity of the data. If the provided data is incorrect, the user will be denied authorization.
3. The application receives a verification code. The service redirects the user agent to the URI that was specified when the client registered, along with a verification code.
4. The application requests an access token from the API, providing a verification code and authorization data, including the client secret.
5. The application receives an access token if the authorization is valid.

Implicit access flow

Implicit access flow is used mobile applications or web applications where client secret confidentiality cannot be guaranteed. This flow is also redirect-based, but the user agent receives the access token and then passes it to the application. This way it can be visible to the user or other applications on the user's device. Additionally, this flow does not authenticate the application, it does so using the URI (which has been registered with the service).

Refresh tokens are not supported for implicit access.

The implicit access flow basically works like this: the user is asked to log into the application, the authorization server passes the access token to the user agent, which passes it to the application. In more detail this process looks like this:

1. The user receives an implicit access link that requests a token from the API.
2. The user is authorized by clicking on the link. If the user cannot log in, they will be denied access.
3. The user agent receives an access token and a Redirect URI.
4. The user agent follows the Redirect URI.
5. The application sends a script to retrieve the access token. The application returns a web page with a script that can extract the access token from the Redirect URI.
6. The application receives an access token. Authorization is complete.

Providing the client with a password

This type implies that the user passes credentials directly to the application, which uses them to obtain an access token. This type should only be supported on the authorization server. Additionally, it should only be used if the application can be trusted (for example, it belongs to a service or operating system user).

Having received the user's credentials, the application requests an access token from the authorization server. If the credentials are correct, the authorization server will provide an access token. Authorization is complete.

Client credentials

This type allows an application to connect to its own service account. This flow is useful if an application wants to update its registered description or redirect URI or access other data stored in a service account.

The application requests an access token by sending its credentials, client ID, and client secret. . If the credentials are correct, the authorization server will provide an access token. Authorization is complete.

Using access tokens

Once an app receives an access token, it can use it to access the user's account via the API.

If the token is valid, the API processes the request. If the token is invalid, the API will throw an invalid_request error.

Flow with refreshable token

Once the access token expires, the API will throw an invalid_request error. If the application received a refresh token along with the access token, it can now use it to request a new access token from the authorization server.

You are now familiar with the basics of OAuth 2.

Tags: ,

1. Opening the built-in browser with the login page
2. The user is asked to confirm that rights have been granted.
3. If the user agrees, the browser is redirected to a stub page in the fragment (after #) the URL of which is added access token
4. The application intercepts the redirect and receives access token from the page address

This option requires raising the browser window in the application, but does not require the server part and an additional server-to-server call for exchange authorization code on access token.

Example

Open the browser with the login page:
> GET /oauth/authorize?response_type=token&client_id=464119 HTTP/1.1 > Host: connect.mail.ru

After the user grants permissions, a redirect occurs to a standard stub page, for Mail.Ru this is connect.mail.ru/oauth/success.html:
< HTTP/1.1 302 Found < Location: http://connect.mail.ru/oauth/success.html#access_token=FJQbwq9&token_type=bearer& expires_in=86400&refresh_token=yaeFa0gu

The application must intercept the last redirect and obtain from the address access_token and use it to access protected resources.

Authorization by login and password

Authorization by login and password is a simple POST request, as a result of which it returns access token. This scheme is nothing new, but is included in the standard for generality and is recommended for use only when other authorization options are not available.

Example

> POST /oauth/token HTTP/1.1 > Host: connect.mail.ru > Content-Type: application/x-www-form-urlencoded > > grant_type=password&client_id=31337&client_secret=deadbeef&username=api@corp.mail.ru& password= qwerty< HTTP/1.1 200 OK < Content-Type: application/json < < { < "access_token":"SlAV32hkKG", < "token_type":"bearer", < "expires_in":86400, < "refresh_token":"8xLOxBtZp8", < }
Description in the specification

Restoring previous authorization

Usually, access token has a limited shelf life. This can be useful, for example, if it is transmitted over open channels. To avoid forcing the user to login after expiration access token"and, in all the above options, in addition to access token"maybe come back again refresh token. You can use it to get access token using an HTTP request, similar to authorization using a login and password.

Example

> POST /oauth/token HTTP/1.1 > Host: connect.mail.ru > Content-Type: application/x-www-form-urlencoded > > grant_type=refresh_token&client_id=31337&client_secret=deadbeef&refresh_token=8xLOxBtZp8< HTTP/1.1 200 OK < Content-Type: application/json < < { < "access_token":"Uu8oor1i", < "token_type":"bearer", < "expires_in":86400, < "refresh_token":"ohWo1ohr", < }