OAuth2.0 - Client Credentials Extension Knowledge Points
In this article, we will continue with the article on how OAuth2.0 issues access tokens and introduce several related knowledge points involving client credentials:
- Obtain end-user authorization
- Authorization Response
- Error Responses and Error Codes
Let’s take a look at each of them.
Obtain end-user authorization
The authorization endpoint is the URL that makes authentication requests on the authorization server. In fact, it is a corresponding authorization login interface where the resource owner logs in and allows access to the client application's data.
The authorization endpoint can be defined in three ways −
- Authorization endpoint
- Redirect endpoint
- Token endpoint
Authorization endpoint
The authorization endpoint can be used to interact with the resource owner. First, the user accesses the resource owner's resources by using a client application. Before performing an authorized login, you need to register a redirect URI (actually what we call a callback address) in the authentication service. During the registration of the redirect URI (Uniform Resource Identifier), the authentication service will provide the client application with a client ID and a client secret, which are used to uniquely identify a client application. Next, the user can log in through the client application on the authorization server. It contains the authorization endpoint. After a successful login, the authorization endpoint redirects the user to the URI (Uniform Resource Identifier) and provides the user with an authentication code.
Redirect endpoint
The user visits the page located at the redirection URI (Uniform Resource Identifier) in the client application. The client application then sends the client ID, client secret, and the authentication code obtained in the previous step to the authorization server.
Token endpoint
At this point, the client application sends the authentication service the client ID, client secret, and authorization code to obtain an access token.
The client application sends these credentials together with the token to the user. After the user receives the token, he can send it to the resource service he wants to access, such as Google, WeChat, etc., to access the resources in the system related to the logged-in user.
Authorization Response
The authorization response can be used to obtain an access token that uses the authorization code to access the owner's resources in the system. The access token is provided by the authorization server to the client upon receiving the client ID, client secret, and authorization code sent by the client application.
The authorization code will be issued by the authorization server, allowing access to the request with the following parameters
- Code - This is a required parameter that specifies that the authorization server generates an authorization code. The authorization code is valid for up to 10 minutes and cannot be used multiple times. If the client application uses the authorization code multiple times, the authorization server rejects the request and cancels all tokens previously issued based on the authorization code.
- State - If the authorization code is available in the authorization request, state is a required parameter.
The authorization server provides an authorization code and grants access to the client application using the following format
application/x-www-form-urlencoded
It is the default MIME type for outgoing requests. It must be encoded in such a way that control names and values are escaped, space characters are replaced with '+' signs, key-value pairs are separated by '&' etc.
Error Responses and Codes
The authorization server responds with an HTTP 400 or 401 status code. Here, if an error occurs during authorization, there are two possible errors that can occur. In the first case, the client was not identified or it was identified but something else was wrong. In the second case, although the client was accurately identified, something else failed. In this case, an error response is sent back to the client as shown below
- error_description - is an optional human-readable description of the error in the language specified by the Content-Language header, intended for developers rather than end users.
- error_uri − It is an optional link to a readable web page along with the error information that can help in resolving the issue.
- error − It is a set of predefined error codes.
400 Error
The following table shows the 400 errors and their descriptions.
| mistake | describe |
|---|---|
| unsupported_over_http | OAuth 2.0 only supports https calls. |
| version_rejected | An unsupported version of OAuth was provided. |
| parameter_absent | A required parameter is missing from the request. |
| parameter_rejected | The given argument was too long. |
| invalid_client | Invalid Client ID |
| invalid_request | Invalid request parameters |
| unsupported_response_type | The response type provided does not match this particular request |
| unsupported_grant_type | Provides a grant type that does not match a specific request |
| invalid_param | Invalid request parameters provided |
| unauthorized_client | The client is not authorized to perform certain operations |
| access_denied | The resource owner denies the authorization request |
| server_error | Unexpected Error |
401 Error
The following table shows the 401 errors and their descriptions
| mistake | describe |
|---|---|
| token_expired | The token provided has expired. |
| invalid_token | The token provided is invalid. |
| invalid_callback | The URI provided with the request does not match the consumer key. |
| invalid_client_secret | The client server provided is invalid. |
| invalid_grant | The token provided has expired or is invalid. |
The above error responses and codes are defined in the documentation. There may be discrepancies in the actual implementation, but there should be corresponding documentation.
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
Detailed explanation of the implementation methods of SSO single sign-on in three
Publish Date:2025/03/18 Views:190 Category:NETWORK
-
Single Sign On (SSO) is not unfamiliar to us. For large systems, using SSO can reduce a lot of trouble for users. Take Baidu for example. Baidu has many subsystems - Baidu Experience, Baidu Knows, Baidu Library, etc. If we need to enter a u
What multipart/form-data does in post Upload upload files
Publish Date:2025/03/18 Views:63 Category:NETWORK
-
Everyone has used the attribute enctype="multipart/form-data" when uploading files using a form. What is the role of multipart/form-data? Let's talk about this topic. First, let's look at a case Look at the first code form action= "handl
About application/x-www-form-urlencoded
Publish Date:2025/03/18 Views:147 Category:NETWORK
-
As a data format of form, application/x-www-form-urlencoded has its own characteristics form action= "handle.php" method= "post" input type= "text" name= " uname" class= " uname" /br / input type= "text" name= "email" class=
My understanding of webservice is this
Publish Date:2025/03/18 Views:147 Category:NETWORK
-
Recently, I encountered such a project at work (temporarily named Project A). Project A itself was developed in PHP, but its data came from another project developed in Java (temporarily named Project B). Project A could not operate the dat
WSDL looks like this
Publish Date:2025/03/18 Views:190 Category:NETWORK
-
When I first started learning Webservice, I found that there were quite a lot of knowledge points involved, and each point could be a school of its own. Especially when I saw WSDL, I looked up information for a long time, but I was still a
Which technology do you choose to implement the web chat room?
Publish Date:2025/03/18 Views:61 Category:NETWORK
-
With the rise of HTML5 Websockets, web chat applications are becoming more and more popular. Recently, I am working on a mobile web application, the core function of which is to implement web chat on the mobile phone. Of course, the functio
Implementing a group chat room using socket.io
Publish Date:2025/03/18 Views:65 Category:NETWORK
-
This article will share with you an example of using socket.io to realize the function of group chat. If you want to use socket.io, you must use nodejs to implement the server, so we need to install socket.io in nodejs Install socket.io How
First contact with CGI
Publish Date:2025/03/18 Views:51 Category:NETWORK
-
Since I am a PHP programmer, I often have to build a PHP operating environment. The popular nginx+php environment is very popular, and the mode it adopts is the FastCGI method, so I spent some time to learn about FastCGI. CGI (Common Gatewa
Getting started with FastCGI
Publish Date:2025/03/18 Views:164 Category:NETWORK
-
In "First Contact with CGI", we mentioned the operating mechanisms of CGI and Server APIs, as well as their respective advantages and disadvantages. In this chapter, we will learn about FastCGI, which combines the advantages of CGI and Serv
