This article describes the principles of OAuth 2.0 and how to configure OAuth 2.0 in Smart ID Digital Access component.
The purpose of OAuth 2.0 is to give applications limited and secure access to an HTTP resource on behalf of an end-user without exposing that user’s credentials to the application or the user’s device. OAuth 2.0 offers a way to limit what a specific client can access through “scopes”.
...
Insert excerpt |
---|
| Enable OAuth 2.0 authorization for Digital Access administration web service |
---|
| Enable OAuth 2.0 authorization for Digital Access administration web service |
---|
nopanel | true |
---|
|
See
Enable OAuth 2.0 authorization for Digital Access administration web serviceThese are terms that are used in this article.
Expand |
---|
|
Expand |
---|
title | Authorization server |
---|
| - The authorization server issues access tokens to the client after the resource owner has been authenticated and has authorized the client to access the requested resource scopes.
- In Digital Access component, this is the Policy Service (protected by and accessed through the Access Point), which exposes its services through two REST endpoints; /authorize and /token.
|
Expand |
---|
| - A resource server is an entity that stores a protected resource.
- In Digital Access component, this is the Access Point, even though it does not actually store any resource. As a reverse proxy it can seamlessly extend any resource with OAuth 2.0 access token validation without the resource needing any knowledge of OAuth 2.0.
|
Expand |
---|
| - A resource owner is an entity that owns a specific resource (data) and is capable of granting a client access to that resource.
- In Digital Access component this is a user. Can also be referred to as an ‘end-user’.
|
Expand |
---|
| - A client is an application that wants to access a protected resource on behalf of a resource owner. There are two types of clients in OAuth 2.0, confidential clients and public clients.
- A confidential client is a client that can keep a secret (for example, an application executing on a secure server)
- A public client is a client that cannot keep a secret (for example, a mobile device or web app).
- In order to get access to the resource the client must first obtain a token through one of the token grant flows. A token gives access to a specific set of scopes that must be defined before registering a client.
|
Expand |
---|
| A scope refers to a collection of one or more resources that are protected by OAuth 2.0. |
Expand |
---|
| An access token is issued to a client in order to allow that client to access one or more scopes on behalf of a specific resource owner. |
|
A grant type is a way to obtain an access token.
...