I’m trying to understand different kind of authorizations and I came across oauth (which requires the client is and secret to request a token) and basic auth with client id and secret credentials. Can someone explain the difference? How basic auth with client id and secret is more secure than using encrypted username and password? If I’m exposing a service with oauth authorization, I assume the service consumer is supposed to make two calls, first api call to get an access token and the second call to make a service call to get the resource data -by including the access token etc.-. As a service exposure, how should I validate the token? Do I need to validate the access token against the authorization service or once the token is sent to the consumer the auth server also sends the same to me and I’m supposed to save it and maintain it in our db? Sorry, got a lot of confusion there but I know a lot of you can guide me to the right answers. Much appreciated!
I did a lot of research and different kind of authorization, but I still have misunderstanding.
With OAuth (OpenID-Connect), you have multiple flows to choose from.
Authorization code flow This flow is when you want a human user to authenticate in a secure way, and as a result, you get back a set of tokens (id, access, refresh) that you then can use to create the local cookie session and to access backend services.
Client credentials flow This flow is for machine-to-machine communication, where one service can (using clientId/secret) request a token to access a backend service. This flow is secure because both services are usually on the same network. (you own them).
The benefit from an API authentication management perspective is that you get a secure and standard way to pass around tokens and manage access. ng someone else (working "offline"). The API can verify the tokens by first verifying the token signature and then the claims inside the token.
The benefit of using access tokens and refresh tokens is that it is fairly easy to revoke access to them, and it is standardized.