Search code examples
oauth-2.0

Does this workflow for authentication and requesting resources meet the requirements for OAuth2?

Based on what I've read, I still don't have a good understanding of what makes a workflow for authentication and resource request considered OAuth2. Does the following scenario I'm about to describe meet the requirements for OAuth2?

Step 1 I have a website that sends the following code via JavaScript:

// login to get an access token in json web token format
const jwt = null;
fetch('/login',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({username:'john',password:'pass'})})
.then(r=>r.json())
.then(r=>jwt = r.accessToken)

Step 2 When I want to get information from API, I do something like:

// list all my invoices
fetch('/invoices',{method:'GET',headers:{'Content-Type':'application/json','Authorizaton':'`Bearer ${jwt}`});

Does my workflow above meet the requirements of an OAuth2 implementation?

When I try to authenticate and request resources from other APIs such as Facebook, LinkedIn etc... there are more steps involved during the login process where I need specify hmac tokens, scopes, and redirect_url to get a client_secret. Then I use the client_secret to request the access_token. Does OAuth2 mandate that I also implement a workflow that incorporates scopes, redirect_url, and client_secret? Or is my initial scenario above adequate to satisfy OAuth2?

Solution

  • What you described is resource owner password credential grant type:

    The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application), and when other authorization grant types are not available (such as an authorization code).

    The only case where I can imagine the usage of this gran type is your official mobile application.

    OAuth2 is designed to be used in many types of applications (browser clients, daemons, native application etc.). That's why it has a few grant types.

    Also OAuth2 uses principle of least privilege. That's why it has a concept of scopes i.e. client application should explicitly says what areas of your application it want to access.