Understand the token of OAuth RRS feed

  • Question

  • User-1907931422 posted

    I am new to OAuth. I have a username and password stored in the database. If I pass them as the the parameters, I can retrieve the corresponding values and make a comparative.

    But how about OAuth token. do we need to create the token first then store it in DB? My database doesn't have such a column.

    Wednesday, December 2, 2015 10:15 PM


  • User614698185 posted

    Hi zhshqzyc,

    OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The client then uses the access token to access the protected resources hosted by the resource server. OAuth is commonly used as a way for Internet users to log into third party websites using Microsoft, Google, Facebook or Twitter accounts without exposing their password.

    Possibly the most devastating OAuth security failure is phishing vulnerability: every web site using OAuth is visually (but not technically) asking end users for their username and password of their master identity, which prevents ordinary users from understanding that they should not type those in should they encounter an attacker's web site that visually emulates this process to steal credentials. 2FA/two-step does not prevent this attack, because the phishing site can steal that as well (and use it right away).

    You could refer to the following tutorials to learn Token Based Authentication:




    Best Regards,

    Candice Zhou

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, December 3, 2015 2:44 AM