Book Image

Mastering OAuth 2.0

Book Image

Mastering OAuth 2.0

Overview of this book

OAuth 2.0 is a powerful authentication and authorization framework that has been adopted as a standard in the technical community. Proper use of this protocol will enable your application to interact with the world's most popular service providers, allowing you to leverage their world-class technologies in your own application. Want to log your user in to your application with their Facebook account? Want to display an interactive Google Map in your application? How about posting an update to your user's LinkedIn feed? This is all achievable through the power of OAuth. With a focus on practicality and security, this book takes a detailed and hands-on approach to explaining the protocol, highlighting important pieces of information along the way. At the beginning, you will learn what OAuth is, how it works at a high level, and the steps involved in creating an application. After obtaining an overview of OAuth, you will move on to the second part of the book where you will learn the need for and importance of registering your application and types of supported workflows. You will discover more about the access token, how you can use it with your application, and how to refresh it after expiration. By the end of the book, you will know how to make your application architecture robust. You will explore the security considerations and effective methods to debug your applications using appropriate tools. You will also have a look at special considerations to integrate with OAuth service providers via native mobile applications. In addition, you will also come across support resources for OAuth and credentials grant.
Table of Contents (22 chapters)
Mastering OAuth 2.0
Credits
About the Author
About the Reviewers
www.PacktPub.com
Preface
11
Tooling and Troubleshooting
Index

Use your access token to make an API call


Now that we have the ability to fetch access tokens from the service provider using either the implicit grant flow or the authorization code grant flow, let's finally utilize these tokens to access protected resources. This is done via API calls to the service provider, in our case, Facebook. When making an API call to request access to a protected resource, the respective access token must be provided as well. This allows the service provider to validate the token by ensuring that the token has not expired or been revoked and that its associated scope covers the requested resource.

There are three prescribed methods for passing the access token in an API call. Those methods are:

  • Authorization request header field

  • Form-encoded body parameter

  • URI query parameter

Tip

Only for bearer tokens!

These three methods are only for tokens of the type bearer, which is the only type of token we have dealt with in this book. However, there are other token types that...