Using OAuth For Access Token Retrieval –
This section provides supplemental detail about the OAuth authentication and Access Token retrieval flow between the User, the Mobile and Social server (the relying party), and an OAuth Identity Provider. (Facebook uses the OAuth 2.0 protocol, and LinkedIn and Twitter use the OAuth 1.0 protocol.) In this scenario, the server interfaces with the OAuth Identity Provider to get an authorization code and Access Token to access a resource protected by the OAuth Identity Provider. The Client application in this scenario could be either a Web application running on a Java-compliant application server, or a mobile application. Figure 37-9, following the text, illustrates the process.
- The user opens the client application which returns a protected web page to the user’s browser.
- The user attempts to open the protected resource on the client application.
- The client application asks the Mobile and Social server for an Access Token so that the user can access the protected resource.
If Mobile and Social has the valid Access Token in its cache, it will forward the Access Token to the client application and the authentication scenario would skip to step 10. This flow assumes Mobile and Social does not have the Access Token in its local cache.
- Since the Access Token is not in its local cache, on behalf of the user, Mobile and Social initiates an authorization request (utilizing HTTP headers to embed an OAuth Client ID, scope information, and a redirect URL) with the OAuth Identity Provider.
- The OAuth Identity Provider displays a login page.
- The user enters a user name and password into the OAuth Identity Provider login page and gives consent to the Identity Provider to provide the user’s profile attributes to the Mobile and Social server (and, by extension, the client application).
- The OAuth Identity Provider sends an authorization code to the Mobile and Social server.
- The Mobile and Social server sends an Access Token request to the OAuth Identity Provider.
Included in the request is the authorization code received in the previous step and the OAuth Client ID and client credential.
- The OAuth Identity Provider returns an Access Token to the Mobile and Social server.
- The Mobile and Social server caches the Access Token (with the User ID and the OAuth Client ID) and forwards the Access Token to the client application.
- The client application uses the Access Token to access the protected resource and returns the protected page to the user’s browser.