OAuth 2.0 defines a protocol for securing application access to protected resources by issuing access tokens to clients of Representational State Transfer (REST) APIs (and non-REST APIs). Rather than the client directly authenticating to the API using credentials, or the credentials of a user, OAuth enables the client to authenticate by presenting a previously obtained token. The token represents (or contains) a set of attributes and/or policies appropriate to the client and the user. These tokens present less of a security and privacy risk than using secrets (or passwords) directly on the API call. The attributes are used by the API to authenticate the call and authorize access.
Participants
- Client
- Wants access to a resource protected by a resource server and interacts with an authorization server to obtain access tokens.
- Resource server (RS)
- Hosts and protects resources and makes them available to properly authenticated and authorized clients.
- Authorization server (AS)
- Issues access tokens and refresh tokens to clients on behalf of the resource servers.
- Resource owner (RO)
- Denies, grants, or revokes authorization to a client requesting access to resources protected by the resource servers. RO is the end user.
Tokens
- Access Token
- Allows clients to authenticate to a resource server and claim authorizations for accessing particular resources. Access tokens have specific authorization scope and duration.
- Refresh Token
- Allows clients to obtain a fresh access token without re-obtaining authorization from the resource owner. It is a long-lived token that a client can trade in to an authorization server to obtain a new (short-lived) access token (with the same attached authorizations as the existing access token).
PingFederate OAuth AS
Based on the Internet Engineering Task Force (IETF) OAuth 2.0 Authorization Framework (tools.ietf.org/html/rfc6749), the OAuth AS in PingFederate supports a wide variety of different interaction models appropriate for different types of clients such as a server, a desktop application, or an application on a phone or a tablet. As needed, administrators can also enable cross-origin resource sharing (CORS) support for OAuth endpoints.