Wednesday, April 10, 2013

Oauth 2.0 - Protocol EndPoints

Different Protocol EndPoint

Endpoints are the URI to the resources. OAuth 2.0 protocol involves different EndPoints residing on different servers, either Client App, Resource Server or Authorisation Server.
They are 

  • Authorisation EndPoint
  • Redirection EndPoint
  • Token EndPoint

Authorisation EndPoint

The Authorisation EndPoint resides on the Authorisation server. It serves two purposes
    • It is used to authenticate the resource owner. This happens with an interation between the Resource owner ( user via the user-agent ) and the Resource server
    • It also contains a 'Redirect Url' component ( as a query parameter ) which is used to convey to the client, that the resource owner has been authenticated ( successfully or with failure )
This end point can be procured from the OAuth Documentation      pages of the Resource server. Since this End point is used to authenticate the Resource owner's credentials, hence this must necessarily involve the user or transport layer security ( TLS ).
Http methods supported on this endpoint :
GET - Fetch the authentication page, e.g Login page
POST - ( may not be supported as per OAuth 2.0 Specs ) To post the Login Form parameters.

Authorisation Server Responsibilites - The Authorisation server must take care of the following execution points while interacting with request to the Authorisation endpoint ( may be of interest to the guys working on writing their own OAuth server )
    1. Query paramter without a value must be ignored. They must, nevertheless, be returned back as it is
    2. Unrecognised query params should be ignored. Again, they can be returned back
    3. Query paramters in request and response must not be included more than once
    4. Query paramter 'response_type' is must and the Authorisation must return an Error Response, if this paramter is missing.

Redirection EndPoint

The Redirection Endpoint resides on the Client App ( or the Client server ). The Authorisation server uses this endpoint to redirect the user ( via the user-agent ) to the Client App. Once over with Resource owner's authentication, the Authorisation server, redirects the user-agent to the Redirection EndPoint. This redirection serves the purpose of
    • Client App gets aware of the status of the Resource owner's authentication. On successfull authenticates, the Authorisation server returns back 'code' or 'access_token' in query paramater. Else the Authorisation server returns 'error' and 'error_description'  
Redirection Endpoint must be registered by the Client, before 
any attempt is made on using this endpoint. Request containg this endpoint is   validated by the Authorisation server against the registered redirect urls, so it is necessary the Redirection Endpoint matches with the ones already registeres during Client Registration.

Authorisation server responsiblities - The Authorisation   must take care of the following execution points while dealing with Redirection Endpoint 
    1. This endpoint should be an absolute URI
    2. It must not contain any fragment part
    3. 'code' or 'acccess_token' getting trasmitted between different roles, should be guarded via TLS ( though this isn't mandatory by the OAuth 2.0 Specs )
    4. If this Endpoint is missing or is blank then the Authorisation sever must let the User know about the missing Redirection EndPoint by an error response, rather than redirection the user-agent to the Redirection Endpoint.

Token EndPoint

The Token EndPoint is used by the Client to fetch access tokens.
In the Authorisation Code workflow, the client uses this endpoint  to get the access tokens by including the 'authorisation code' in the http request. i.e The Client must authenticate itself before it can be issued access tokens by the Authorisation Server. This Client authentication is valid for all the Authorisation Grnat Types excpet for Implicit Grant Types. This authentication also requires that the Client sends back its Client credential i.e Client Id and Client secret ( obtained during client registration ) Token endpoint is not required in the Implicit grant type as access tokens are returned by the authorisation server right at the time of user authentication, wherein the authorisation server sends back the access token ( instead of a'authorisation code' ) as a query parameter appended in the Redirection Url. Client and Authorisaion server interaction on this endpoint must necessarily involve Transport Layer Security ( TLS ).

Authorisation Server responsibilities - The Authorisation server must take care of the following execution points while dealing with Token Endpoints
  1. This endpoint should be an absolute URI
  2. It must not contain any fragment part
  3. Only Http POST method should be supported on this endpoint

<< previous   Grant Types     >> next

No comments:

Post a Comment