Index
A
- access token
- about / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant, Refresher on access tokens
- versus bearer token / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
- obtaining / Step 2 – Get your access token
- defining / A closer look at access tokens, An access token is an access token
- scope / Scope
- access duration / Duration of access
- token revocation / Token revocation
- using / Step 3 – Use your access token
- refreshing / Step 4 – Refresh your access token
- used, for creating API call / Use your access token to make an API call
- authorization request header field, defining / The authorization request header field
- form-encoded body parameter, using / The form-encoded body parameter
- URI query parameter, using / The URI query parameter
- access token request
- about / Access token request
- according, to specification / According to the specification
- in application / In our application
- making / Make the access token request
- defining / Access token request
- access token response
- defining / Access token response, Access token response
- success / Success, Success, Success
- parameters / Success, Access token response
- error / Error, Error, Error
- handling / Handle the access token response, Handle the access token response
- properties / Access token response
- about / Access token response, The access token response
- Apache Maven
- defining / Build the base application
- URL / Install Apache Maven, Install Apache Maven
- installing / Install Apache Maven
- API call
- creating, access token used / Use your access token to make an API call
- API call flow
- about / The API call flow
- authorization request header field / The authorization request header field
- authorization request header field, troubleshooting / Common issues
- common issues, with authorization request header field / Common issues
- form-encoded body parameter / The form-encoded body parameter
- form-encoded body parameter, troubleshooting / Common issues
- common issues, with form-encoded body parameter / Common issues
- URI query parameter, using / The URI query parameter
- application
- registering, with Facebook / Registering your application with Facebook
- creating / Creating your application
- redirection endpoint, setting / Setting your redirection endpoint
- service providers authorization, finding / Find your service provider's authorization and token endpoints
- token endpoints, finding / Find your service provider's authorization and token endpoints
- auth endpoint
- URL / Putting it all together!
- authentication
- versus authorization / Authentication versus authorization
- about / Authentication
- authorization
- versus authentication / Authentication versus authorization
- about / Authorization
- performing, via mobile application / Authorization via application instead of user-agent
- authorization code
- authorization code grant flow
- about / Refresher on the authorization code grant flow, A closer look at the authorization code grant flow, The authorization code grant flow
- authorization request / Authorization request, The authorization request
- authorization response / Authorization response
- access token request / Access token request, The access token request
- access token response / Access token response
- authorization request, troubleshooting / Common issues
- common issues, with authorization request / Common issues
- access token request, troubleshooting / Common issues
- common issues, with access token request / Common issues
- authorization endpoint
- authorization request
- defining / Authorization request
- defining, according to specification / According to the specification
- parameters / According to the specification
- defining, in application / In our application
- creating / Make the authorization request
- example / Authorization request
- about / Authorization request
- according, to specification / According to the specification
- in application / In our application
- making / Make the authorization request
- authorization request and response
- defining / Authorization request and response
- authorization response
- about / Authorization response
- success / Success
- error / Error
- handling / Handle the authorization response
- auth process
B
- base application
- building / Build the base application, Build the base application
- Apache Maven, installing / Install Apache Maven
- project, creating / Create the project, Create the project
- base project, configuring / Configure base project to fit our application
- hosts file, modifying / Modify the hosts file, Modify the hosts file
- running / Running it for the first time, Running it for the first time
- base project
- configuring / Configure the base project to fit our application
- bearer token
- best practices, security
- TLS, using / Use TLS!
- minimal scopes, requesting / Request minimal scopes
- implicit grant flow, using / When using the implicit grant flow, request read-only permissions
- read-only permissions, requesting / When using the implicit grant flow, request read-only permissions
- credentials and tokens, maintaining out of reach of users / Keep credentials and tokens out of reach of users
- authorization code grant flow, using / Use the authorization code grant flow whenever possible
- refresh token, using / Use the refresh token whenever possible
- native browsers, using instead of embedded browsers / Use native browsers instead of embedded browsers
- third-party scripts, avoiding in redirection endpoint / Do not use third-party scripts in the redirection endpoint
- client credentials, rotating / Rotate your client credentials
C
- client-side application
- API call, creating / In our client-side application
- URI query parameter, using / Send via the URI query parameter
- form-encoded body parameter, using / Send via the form-encoded body parameter
- GitHub, URL / Send via the form-encoded body parameter
- client-side flow
- defining / First look at the client-side flow
- untrusted client / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
- implicit grant type, using / The big picture
- client application
- registering / Step 1 – Register your client application
- different service providers / Different service providers, different registration process, same OAuth 2.0 protocol
- different registration process / Different service providers, different registration process, same OAuth 2.0 protocol
- same OAuth 2.0 protocol / Different service providers, different registration process, same OAuth 2.0 protocol
- client credentials / Your client credentials
- client credentials
- about / Your client credentials
- client credentials grant
- using / When should you use it?
- reference / Reference pages
- defining / Overview of the client credentials grant
- common attacks
- about / Common attacks
- Cross-site request forgery (CSRF) / Cross-site request forgery (CSRF)
- phishing / Phishing
- redirection URI manipulation / Redirection URI manipulation
- client and user impersonation / Client and user impersonation
- Cross-site request forgery (CSRF)
- about / Cross-site request forgery (CSRF)
- state param used, for combating / Use the state param to combat CSRF
- cURL
- about / Tools
- custom grant types
- about / Custom grant types
- authorization code grant / Custom grant types
- implicit grant / Custom grant types
D
- delegated authority / What problems does it solve?, Delegated authority
E
- embedded browser
- versus native browser / Use native browsers instead of embedded browsers
- error, access token response
- parameters / Error
- error response
- parameters / Error response
- defining / Error response
- properties / Error response
- expired refresh token
- extensions, OAuth 2.0 framework
- custom grant types / Custom grant types
- token types / A variety of token types
- authorization backend / Any authorization backend
F
- Facebook App Settings page
- reference link / Make the authorization request
- Facebook Developers page
- Facebook Graph API
- about / Let's build it!
- URL / Let's build it!
- federated identity / What problems does it solve?, Federated identity
G
- GoodApp
- working / How does it work?
- user consent / User consent
- workflows, defining for clients / Two main flows for two main types of client
- trusted, versus untrusted clients / Trusted versus untrusted clients
- GoodApp application
- defining / Let's get started
H
- hybrid architecture
- about / Hybrid architectures
- implicit grant flow, for mobile app / Implicit for mobile app, authorization code grant for backend server
- authorization code grant, for backend server / Implicit for mobile app, authorization code grant for backend server
- benefit / What is the benefit of this?
I
- implicit grant flow
- defining / Refresher on the implicit grant flow, A closer look at the implicit grant flow
- authorization request / Authorization request, The authorization request
- access token response / Access token response
- about / The implicit grant flow
- common issues, with authorization request / Common issues
- authorization request, troubleshooting / Common issues
- implicit grant type
- using / When should this be used?
- infographic
- installation, Apache Maven / Install Apache Maven
J
- jQuery library
- JSON Web Tokens (JWTs)
- about / JSON Web Token (JWT)
M
- mobile
- mobile application
- about / What is a mobile application?
- flow type, deciding / What flow should we use for mobile applications?
- considerations / Are mobile applications trusted or untrusted?
- with secure storage APIs, on mobile platforms / What about mobile applications built on top of mobile platforms with secure storage APIs?
- security considerations / Not quite enough
- authorization, performing via / Authorization via application instead of user-agent
N
- native browser
- versus embedded browser / Use native browsers instead of embedded browsers
O
- OAuth 2.0
- using / What problems does it solve?, Who uses OAuth 2.0?
- federated identity / Federated identity
- delegated authority / Delegated authority
- examples, defining / Real-life examples of OAuth 2.0 in action
- used, for solving problem / How does OAuth 2.0 actually solve the problem?
- authorization framework / Two main flows for two main types of client, Trusted versus untrusted clients
- trusted / Trusted versus untrusted clients
- untrusted / Trusted versus untrusted clients
- defining / Let's get started
- OAuth 2.0 framework
- extensions / Extensions to the OAuth 2.0 framework
- OAuth 2.0 protocol
- reference specifications / Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants, OpenID Connect Core 1.0
- OpenID Connect
- about / OpenID Connect
- using / OpenID Connect
- URL / OpenID Connect
P
- perpetual tokens
- about / Duration of access
- phishing / Phishing
- problem solving
- project object model (POM)
- about / Build the base application
R
- redirection endpoint
- reference pages
- defining / Reference pages, Reference pages
- implicit grant flow / Overview of the implicit grant flow
- access token response / Access token response, Access token response
- error response / Error response, Error response
- refresh token flow / An overview of the refresh token flow
- refresh request / The refresh request
- refresh request
- about / The refresh request
- specification, defining / According to the specification
- parameters / The refresh request
- refresh token
- defining / Sometimes a refresh token
- about / Sometimes a refresh token
- incapability / What if I don't have a refresh token?
- refresh token flow
- defining / A closer look at the refresh token flow
- refresh request / The refresh request
- access token response / The access token response
- versus auth process / Comparison between the two methods
- pros / Comparison between the two methods
- cons / Comparison between the two methods
- about / The refresh token flow
- troubleshooting / Common issues
- common issues / Common issues
- registration process
- defining / Recap of registration process
- resource owner password credentials grant
- usage / When should you use it?
- reference / Reference pages
- overview / An overview of the resource owner password credentials grant
- authorization request / Authorization request and response
- authorization response / Authorization request and response
- access token request, defining / Access token request
- access token response, defining / Access token response
- error response / Error response
S
- sample application
- building / Let's build it!
- scope and duration of access
- about / A closer look at access tokens
- security
- defining / What's at stake?
- best practices / Security best practices
- Security Assertion Markup Language (SAML) 2.0
- server-side application
- API call, creating / In our server-side application
- URI query parameter, using / Send via the URI query parameter
- HTTP authorization header, using / Send via the HTTP authorization header
- GitHub, URL / Send via the HTTP authorization header
- server-side flow
- defining / First look at the server-side flow
- trusted client / A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
- workflow, defining / The big picture
- using / When should this be used?
- server-side workflow
- and client-side workflow, comparing / What are the differences?
- SSO (Single Sign On)
- about / Make the authorization request
T
- token endpoint
- token revocation
- about / Token revocation
- token types
- about / A variety of token types
- JSON Web Tokens (JWT) / A variety of token types
- SAML assertions / A variety of token types
- tools
- using / Tools
- troubleshooting
- about / Troubleshooting
- implicit grant flow / The implicit grant flow
- authorization code grant flow / The authorization code grant flow
- API call flow / The API call flow
- refresh token flow / The refresh token flow
- trust
- trusted client
- about / Trusted versus untrusted clients
- advantages / Pros
- disadvantages / Cons
U
- untrusted client
- about / Trusted versus untrusted clients, Pros and cons of being an untrusted client
- advantages / Pros
- disadvantages / Cons
- user consent
- about / How does it work?
W
- WMIIG
- WMIIG (World's Most Interesting Infographic Generator) / Refresher on the authorization code grant flow
- workflow
- defining / The ideal workflow
- World's Most Interesting Infographic Generator