OAuth2.0 - Client Credentials Extension Knowledge Points
In this article, we will continue with the article on how OAuth2.0 issues access tokens and introduce several related knowledge points involving client credentials:
- Obtain end-user authorization
- Authorization Response
- Error Responses and Error Codes
Let’s take a look at each of them.
Obtain end-user authorization
The authorization endpoint is the URL that makes authentication requests on the authorization server. In fact, it is a corresponding authorization login interface where the resource owner logs in and allows access to the client application's data.
The authorization endpoint can be defined in three ways −
- Authorization endpoint
- Redirect endpoint
- Token endpoint
Authorization endpoint
The authorization endpoint can be used to interact with the resource owner. First, the user accesses the resource owner's resources by using a client application. Before performing an authorized login, you need to register a redirect URI (actually what we call a callback address) in the authentication service. During the registration of the redirect URI (Uniform Resource Identifier), the authentication service will provide the client application with a client ID and a client secret, which are used to uniquely identify a client application. Next, the user can log in through the client application on the authorization server. It contains the authorization endpoint. After a successful login, the authorization endpoint redirects the user to the URI (Uniform Resource Identifier) and provides the user with an authentication code.
Redirect endpoint
The user visits the page located at the redirection URI (Uniform Resource Identifier) in the client application. The client application then sends the client ID, client secret, and the authentication code obtained in the previous step to the authorization server.
Token endpoint
At this point, the client application sends the authentication service the client ID, client secret, and authorization code to obtain an access token.
The client application sends these credentials together with the token to the user. After the user receives the token, he can send it to the resource service he wants to access, such as Google, WeChat, etc., to access the resources in the system related to the logged-in user.
Authorization Response
The authorization response can be used to obtain an access token that uses the authorization code to access the owner's resources in the system. The access token is provided by the authorization server to the client upon receiving the client ID, client secret, and authorization code sent by the client application.
The authorization code will be issued by the authorization server, allowing access to the request with the following parameters
- Code - This is a required parameter that specifies that the authorization server generates an authorization code. The authorization code is valid for up to 10 minutes and cannot be used multiple times. If the client application uses the authorization code multiple times, the authorization server rejects the request and cancels all tokens previously issued based on the authorization code.
- State - If the authorization code is available in the authorization request, state is a required parameter.
The authorization server provides an authorization code and grants access to the client application using the following format
application/x-www-form-urlencoded
It is the default MIME type for outgoing requests. It must be encoded in such a way that control names and values are escaped, space characters are replaced with '+' signs, key-value pairs are separated by '&' etc.
Error Responses and Codes
The authorization server responds with an HTTP 400 or 401 status code. Here, if an error occurs during authorization, there are two possible errors that can occur. In the first case, the client was not identified or it was identified but something else was wrong. In the second case, although the client was accurately identified, something else failed. In this case, an error response is sent back to the client as shown below
- error_description - is an optional human-readable description of the error in the language specified by the Content-Language header, intended for developers rather than end users.
- error_uri − It is an optional link to a readable web page along with the error information that can help in resolving the issue.
- error − It is a set of predefined error codes.
400 Error
The following table shows the 400 errors and their descriptions.
| mistake | describe |
|---|---|
| unsupported_over_http | OAuth 2.0 only supports https calls. |
| version_rejected | An unsupported version of OAuth was provided. |
| parameter_absent | A required parameter is missing from the request. |
| parameter_rejected | The given argument was too long. |
| invalid_client | Invalid Client ID |
| invalid_request | Invalid request parameters |
| unsupported_response_type | The response type provided does not match this particular request |
| unsupported_grant_type | Provides a grant type that does not match a specific request |
| invalid_param | Invalid request parameters provided |
| unauthorized_client | The client is not authorized to perform certain operations |
| access_denied | The resource owner denies the authorization request |
| server_error | Unexpected Error |
401 Error
The following table shows the 401 errors and their descriptions
| mistake | describe |
|---|---|
| token_expired | The token provided has expired. |
| invalid_token | The token provided is invalid. |
| invalid_callback | The URI provided with the request does not match the consumer key. |
| invalid_client_secret | The client server provided is invalid. |
| invalid_grant | The token provided has expired or is invalid. |
The above error responses and codes are defined in the documentation. There may be discrepancies in the actual implementation, but there should be corresponding documentation.
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
PHP+ajax to achieve cross-domain single sign-on
Publish Date:2025/03/16 Views:145 Category:NETWORK
-
We have previously introduced the principle of cross-domain single sign-on in "Detailed explanation of the implementation methods of three situations of SSO single sign-on" . Here we will introduce how to implement single sign-on using PHP
WeChat public account development tutorial interface configuration and identity a
Publish Date:2025/03/16 Views:125 Category:NETWORK
-
To become a developer of WeChat official account, you must first have a server that can be accessed externally. The development of WeChat official account does not limit the use of any language. Here we use PHP as the development language.
WeChat public account development tutorial to obtain access_token
Publish Date:2025/03/16 Views:65 Category:NETWORK
-
During the development of WeChat official accounts, if we want to actively push messages to the WeChat server, we must have access_token. Access_token is the only ticket for the official account. When we develop and call various WeChat inte
WeChat public account receives messages and processes ordinary messages
Publish Date:2025/03/16 Views:149 Category:NETWORK
-
There are two situations when WeChat users interact with public accounts: one is when WeChat users send ordinary messages to public accounts; the other is when some operations of WeChat users cause the WeChat server to notify the URL filled
WeChat public account receiving message event message processing
Publish Date:2025/03/16 Views:79 Category:NETWORK
-
As we know, there are two types of messages generated by the interaction between WeChat users and public accounts: one is ordinary messages, which are introduced in detail in the article "Ordinary message processing for WeChat public accoun
IE's Ajax cross-domain issue
Publish Date:2025/03/16 Views:190 Category:NETWORK
-
Ajax is widely used in web systems, but cross-domain issues are often encountered in web systems. By default, browsers prohibit Ajax cross-domain access. The IE browser has particularly strict restrictions. For browsers such as Firefox, Goo
How to redirect a website from HTTP to HTTPS
Publish Date:2025/03/16 Views:117 Category:NETWORK
-
HTTPS is a protocol for secure communication over computer networks and is widely used on the Internet. More and more website owners are migrating from HTTP to HTTPS, mainly due to the following 5 reasons: Google announced that websites usi
How to Fix the “SSL Handshake Failed” Error (5 Methods)
Publish Date:2025/03/16 Views:96 Category:NETWORK
-
Installing a Secure Sockets Layer (SSL) certificate on your WordPress site enables it to use HTTPS for a secure connection. Unfortunately, there are a lot of things that can go wrong in the process of verifying a valid SSL certificate and e
10 Ways to Fix NET::ERR_CERT_DATE_INVALID Error
Publish Date:2025/03/16 Views:136 Category:NETWORK
-
Having an SSL certificate gives people more peace of mind when using your website. When the NET::ERR_CERT_DATE_INVALID error indicates a problem with the certificate, it blocks visitors from accessing your website until the problem is fixed
