OAuth 2.0
Basic Concepts
Authorization Server
The server responsible for issuing access tokens to the client after successfully authenticating and authorizing the client. The Authorization server is sometimes also responsible for user authentication
Flows
Possible ways a client can obtain an Access Token based on the type of application.
Application Type |
Flow |
---|---|
Regular Web App: Traditional web application that performs most of its application logic on the server (e.g., Express.js, ASP.NET). | Authorization Code |
Native App: Mobile or Desktop app that runs natively in a device (e.g., iOS, Android). | Authorization Code + PKCE |
Single-Page App (SPAs): JavaScript application that performs most of its user interface logic in a web browser, communicating with a web server primarily using APIs (e.g., AngularJS + Node.js, React). | Authorization Code + PKCE |
Machine-to-Machine (M2M) App: Non-interactive application, such as command-line tools, daemons, IoT devices, or services running on your back-end. Typically, you use this option if you have a service that requires access to an API. | Client Credential Grant |
ClientId
The 80 character public portion of the WSKey.
Scope
A string which represents the functionality which the client is requesting authorization to use.
Authorization Code
The unique string which represents the fact a user has successfully authenticated and the application has been granted the right to access one or more scopes for a particular institution. Authorization Codes are exchanged by clients to obtain Access Tokens.
Access Token
A credential that can be used by an application to access an API. Access Tokens can be either an opaque string or a JSON Web Token (JWT) .
Partial scopes
An access token which is returned with only SOME of the scopes the client application requested.
Basic Authentication
A simple authentication scheme used to protect HTTP requests. Requests contain the Authorization header with the key and secret joined by a colon and base64 encoded.
Refresh Token
A longer lived token which a client can request and allows an application to obtain a new access token without prompting the user
Token Revocation
Applications can programmatically revoke the access a user has given to it. Revocation is important when a user unsubscribes, removes an application or "logs out".
For an detailed technical overview of the OAuth 2.0 standard please see RFC 6749