OAuth 2.0

OAuth 2.0 is an open standard for delegated authorization. The OAuth 2.0 authorization framework enables a user, the resource owner, to grant a third-party client application access to information that is stored on a HTTP resource server without sharing the resource owner’s credentials.

The following roles are defined in the OAuth 2.0 specification.
Client
The application that requests access to a protected resource on behalf of the resource owner.
Resource owner
The entity that grants access to the protected resource. It's normally an end user.
Authorization server
The server that authenticates the resource owner and issues the access tokens.
Resource server
The server that hosts the protected resources

OAuth 2.0 uses access tokens to provide authorization. An access token represents the authorization to access a resource on behalf of the resource owner. OAuth 2.0 defines four different flows that can be used to provide an access token. These flows are called grant types. Each grant type is designed for a specific use case.

  • Authorization code flow
  • Client credentials flow
  • Resource owner password flow
  • Implicit flow

The following diagram shows a typical OAuth 2.0 flow for a grant type of authorization code. For further details on using the authorization code flow in CICS® Liberty, see Configuring OAuth 2.0 for authorization.

Figure 1. OAuth 2.0 flow
A flow diagram that shows steps involved in the OAuth 2.0 flow. Each step is described in the following text.
  1. The resource owner sends a request to the client application.
  2. The client application redirects the request to the authorization server for authorization.
  3. The authorization server sends an authentication and authorization request to the resource owner.
  4. The resource owner authenticates and authorizes the client application to access the resource.
  5. The authorization server sends an authorization code to the client application.
  6. The client application sends a request to the authorization server to exchange the authorization code for an access token.
  7. The authorization server sends the access token to the client application.
  8. The client application makes the request to the resource server with the access token, which is used to verify the authorization granted to the client application to access the resource.
  9. The response is sent from the resource server to the client application.
  10. The response is sent from the client application to the resource owner.

For details on the standards, see RFC 6749 and RFC 6750.