Authorization Code, Access Token and Authorization Flow скачать в хорошем качестве

Authorization Code, Access Token and Authorization Flow

Let’s try to understand the authorization flow to understand the authorization code, access token and their relation There are 4 components/parties involve in authorization flow. • User or user agent • Requester/Client (Application) who wants to access a service on behalf of the user. • Authorization Server (OAuth Provider, it may be same as IDP) → who Issues tokens after authentication & authorization. • Service Provider (Resource Server, API, or Protected Service) → who Provides the actual service. Let’s look in details. The user agent (in most cases a browser) to initiate the flow. The user agent redirects the user to authorization server for authentication. If authentication is success the authorization server provides authorization code. This is a temporary secret. In this process, the client_ID and redirect URL are provided to validate that the request is from a legitimate client. The goal is to get an access token to access the actual service or API. To get an access token, the client exchanges the authorization code along with client ID and secrets by calling an API endpoint of the authorization server using an HTTP POST request. The authorization server validates the request and issues an access token. The access token can be an opaque or a JWT. Now to make a call to actual service or API, the client includes the access token in the Authorization header as bearer token. The service provider verifies the access token. If the token is a JWT, the service provider can verify it locally using the public key of the authorization server. If the token is opaque (random string), the service provider must call the authorization server to verify it. If the token is valid and includes the right permissions (scopes), the service provider grants access to the requested service. From security point of view, even if an attacker intercepts the authorization code, they cannot exchange it for an access token because they will not have client credentials. If an attacker manages to steal the access token, they can access the service until the token expires. To mitigate this risk, access tokens are designed to be short-lived to reduce the misuse duration. Hope this clarifies the flow and usage of authorization code and access token. Additionally, security best practices such as token encryption, secure storage, and refresh token rotation should be implemented to further protect access tokens.