3.4.5.API Authorization using OAuth2.0

  • OAuth2.0 has become the defactor standard for building authorization (授權) for REST APIs as Facebook, Linkedin and Spotify

  • Customer Information

    • 第三方服務直接透過API取得客戶的資料是不合理的, 因為沒有取得客戶的授權

  • Authorization

    • 合理的做法應該是: 第三方服務先取得客戶授權, 再透過API取得客戶資料

  • OAuth2.0

    • Flexible Authorization framework

      • Uses different types of tokens

      • Described 5 methods (grants) for acquiring access tokens

        • 1.Authorization scope grant

        • 2.Client credentials grant

        • 3.Implicit grant

        • 4.Refresh token grant

        • 5.Resource owner credentials grant

      • End user in control of their data (scope)

      • Application/ Client needs a API key & secret

  • OAuth2.0 Tokens

    • 1.Authorization Token

      • Proof of authorization

      • Issued after user logs in and authorize

    • 2.Access Token

      • Credential for accessing the protected resource

        • Provider may define multiple types: 不同token會對應到不同scope

        • e.g., facebook

      • Expiry set by issuer

    • 3.Refresh Token

      • May be used for extending access token validity

  • 流程 (簡易)

    • 有三個主要腳色

      • 1.User

      • 2.Application/client

      • 3.Authorization server/ resource server (API provider)

  • OAuth2.0 Design Decisions

    • Scopes of the user data (API)

    • Type of OAuth grants to be supported

      • Authorization || Implicit grant private data

      • Client credentials public data

      • For trusted clients would you use "Resource owner credentials grant"?

    • Implementing the OAuth

      • Build

      • API Management Platform

  • 何時不採用OAuth

    • 以下兩種場景

      • API僅供消遣使用, 如果某個惡意軟件竊取了證書, 也不會造成任何破壞

      • API的用戶都編寫屬於自己的應用程式

Previous3.4.4.Securing API with API Key & SecretNext3.4.5.1.Authorization scope grant (Refresh token grant)

Last updated

Was this helpful?