-
Notifications
You must be signed in to change notification settings - Fork 0
Introduction
This project was built in order to demonstrate the user of OAuth 2.0 and OpenID Connect protocols when it comes to protecting APIs and Users. We will attempt to cover the basics and provide thorough documentation with regards to how to implement certain functionalities of the server and how to link the APIs and clients to it.
As Codaisseur is growing day by day, so does the amount of student made projects. Many of these projects have some amazing functionality and with that we want to encourage the frequent use of these projects by everyone! However, this can prove to be somewhat troublesome, especially when it comes to having to create a separate user account for each of these amazing applications. Each application, in addition, may implement different authentication rules and policies, which lead to a very un-seamless user experience.
As an extra bonus, modern applications today need advanced methods for authenticating and authorizing requests, and modern techniques are often found to be very complicated for the average developer, and so we end up relying on external and 3rd party providers that allow for such secure protocols.
We hope that with this project and example apis, you too can learn to better understand and use these protocols quickly and efficiently.
Basically, we need to define some new terms and explain their meaning in order to better understand how they work and how they relate to each other. With OAuth 2.0 we define four main roles:
- Resource Owner
- Resource Server
- Authorization Server
- Client
The resource owner, is typically an entity capable of granting access to a protected resource. When this resource owner is a person, it is referred to as an end-user.
The resource server is the server that's hosting all all or a part of the protected resources and it is capable of accepting and responding to protected resource requests using access tokens.
This is the server issuing all the access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
A client is typically an application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g., whether the application executes on a server, a desktop, or other devices).
The interaction between the authorization server and resource server is beyond the scope of this specification, although it will be covered briefly in some example API integrations. The authorization server may be the same server as the resource server or a separate entity. A single authorization server may issue access tokens accepted by multiple resource servers.
- Introduction
- Features
- Authorization Grant
- Response Types
- Tokens
- Stores
- Modifying the Server
-
Tutorials
- Adding a client
- Protecting Node API
- Client User Authentication
- Implementing Claims and Scopes (TBA)