locked
How OAuth is used to secure web api RRS feed

  • Question

  • User264732274 posted

    normally these days many web site provide OAuth to login to their web api but how we can use the same oauth for web api ?

    client will send user id and pwd in plain text to web api and web api will send those client credentials to oauth site ?

    if user credentials found right then OAuth will send token to web api and web api will send token to client and from the next subsequent call web api will use the same token for each request...........am i right ?

    if my thinking is wrong then just briefly tell me how oauth is used with web api and how client send their credentials and how get token etc. thanks

    Monday, November 28, 2016 2:36 PM

Answers

All replies

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, November 28, 2016 4:21 PM
  • User-2057865890 posted

    Hi Sudip_inn,

    (A) The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner, or preferably indirectly via the authorization server as an intermediary.

    (B) The client receives an authorization grant, which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server.

    (C) The client requests an access token by authenticating with the authorization server and presenting the authorization grant.

    (D) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token.

    reference: https://tools.ietf.org/html/rfc6749 

    Best Regards,

    Chris

    Tuesday, November 29, 2016 5:40 AM
  • User264732274 posted

    things is not clear.

    1) u said The client requests authorization from the resource owner. authorization process comes after authentication. so where is authentication steps ?

    2) this is not clear u said :The client receives an authorization grant, which is a credential representing the resource owner's authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server.

    what is authorization grant ?

    3) The client requests an access token by authenticating with the authorization server

    what kind of things client will pass to authorization server to get access token ?

    please help me to drive out my confusion. thanks

    Tuesday, November 29, 2016 9:56 AM