12
12
12
Key OAuth Terms
- Resource Owner is you
- Resource Server is what you want to share access to
- Grant Type (aka Flow) describes the use case
- Tokens represents the authorization, user, or state
- Authorization Server (aka Auth Server) creates the Tokens
- Scopes are the permissions you request from the Auth Server
- Claims are the key/value pairs returned from the Auth Server
Slide 13
Slide 13 text
13
13
13
Key OAuth Terms (simplified)
- Resource Owner is you
- Resource Server where you use the token
- Grant Type (aka Flow) how you get the tokens
- Tokens are the tokens
- Authorization Server (aka Auth Server) creates the Tokens
- Scopes how you request stuff in the tokens
- Claims the stuff in the tokens
Slide 14
Slide 14 text
14
14
14
Hotel Key Cards but for Apps
Slide 15
Slide 15 text
Grant Types
(aka use cases or how you get the tokens)
27
27
27
Grant Types (aka OAuth flows)
- Authorization Code Flow replaced w/ PKCE (below)
- Implicit Flow replaced w/ PKCE (below)
- Resource Owner Password Flow removed
- Client Credential Flow
Extensions
- Authorization Code Flow with PKCE
- SAML 2.0 Assertion Flow
- Device Grant Type
- Okta: Interaction Grant Type
Ref: https://oauth.net/2.1/ (still a draft)
Slide 28
Slide 28 text
28
28
28
Which should I use?
Slide 29
Slide 29 text
29
29
29
Which should I use? (under OAuth 2.1)
* Leaves out SAML Assertion, Device Grant Type, and others
Does your
App have
an end
user?
Client
Credential
Flow
Auth Code
with PKCE
Yes No