Search code examples
oauth-2.0oauthazure-active-directoryazure-api-managementazure-oauth

Understanding oAuth workflow


I am reading an article which talks oAuth workflow. Article has a sequence diagram:

enter image description here

I have few questions about the oAuth workflow:

  1. The first endpoint shouldn't it be called Authenticate and not Authorize? Because at this stage user is authenticating himself.
  2. If someone steals the access token, does it means he gains access to the resource?
  3. Does the client app needs to manage multiple calls or we can use some nuget package for .net based clients to abstract it for us ?

Solution

  • The first endpoint shouldn't it be called Authenticate and not Authorize? Because at this stage user is authenticating himself.

    The user is authenticating, but at the same time the user is authorizing the application for the permissions the app requests (scopes). I think that's why it is called an authorize endpoint.

    If someone steals the access token, does it means he gains access to the resource?

    Yes, they would be able to act on your behalf until the token expires. This is why the token should always only be sent over secure channels (HTTPS only). In this regard tokens aren't better than cookies, but tokens usually expire faster than cookies.

    Does the client app needs to manage multiple calls or we can use some nuget package for .net based clients to abstract it for us ?

    You can use Microsoft.Identity.Client (aka MSAL) to get tokens in some of the scenarios. If you have an ASP.NET Core Web App, you would also need something like Microsoft.Identity.Web.