A Basic Comprehensive Application to Understand OAuth2.0 Authorization Code Grant Type.......



Image result for OAuth



There are few steps in OAuth we have to follow ....

Step 1 >>  Authorization Code Link

First user is given authorization code link like this.

http://localhost:8081/auth/oauth/authorize?response_type=code&client_id=CLIENT_ID
&redirect_uri=CALLBACK_URL&scope=write

Here is an explanation of the link components:
  • https://cloud.digitalocean.com/v1/oauth/authorize: the API authorization endpoint
  • client_id=client_id: the application's client ID (how the API identifies the application)
  • redirect_uri=CALLBACK_URL: where the service redirects the user-agent after an authorization code is granted
  • response_type=code: specifies that your application is requesting an authorization code grant
  • scope=write: specifies the level of access that the application is requesting.

Step 2 >> User Authorizes Application


When the user clicks the link, they must first log in to the service, to authenticate their identity (unless they are already logged in). Then they will be prompted by the service to authorize or deny the application access to their account. Here is an example authorize application prompt:

Step 3 >> Application Receives Authorization Code


If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. 

http://localhost:9999/oauth/access/?code=AUTHORIZATION_CODE

Step 4 >> Application Requests Access Token

The application requests an access token from the API, bypassing the authorization code along with
 authentication details, including the client secret, to the API token endpoint.

Here is an example POST request to Cyber Techies token endpoint:

 http://localhost:8081/auth/oauth/token?client_id=CLIENT_ID
   &client_secret=CLIENT_SECRET
     &grant_type=authorization_code&code=AUTHORIZATION_CODE
       &redirect_uri=CALLBACK_URL

Step 5>>  Application Receives Access Token

If the authorization is valid, the API will send a response containing the access token (and optionally, a refresh token) to the application. The entire response will look something like this:

{"access_token":"ACCESS_TOKEN",
"token_type":"bearer",
"expires_in":5184000,
"refresh_token":"REFRESH_TOKEN",
"scope":"read","uid":415478911,
"username":{"name":"chathu",
 "password":"ABC123"}}

Using this token we can take granted information as a user. this token will expire after 60 days.user can only read the information.


How it works in real application?


How i'm going to access my Facebook account using third party application called bunny cyber tach.

I'm using tomcat server site and used spring boot to run my Authorization server, resource server and client app. 

Authorization server >> localhost:8081
Resource server >> localhost:8082
Client app >> localhost:9999

In client app there is option call login with facebook. so we can click that option.


After clicking login  with facebook it will redirect another page.  It ask user name and password. In that we have to give user name and password.

Then it redirect in to another page it ask OAuth approval. In that we can click the approval button.




After  clicking approval it gives the authorization code in url.

Now we have authorization code. so using that code we can take thae access token. In that I used the another application for help it call ' REST_CLIENT'.

First, type you're the URL like given below for your token and make it as post request. After that, you need to add two headers.




Using base64 we have to encode the client Id and authorization code (CLIENTID+CLIENT CREDENTIAL).


After that in rest_client add the encoded as body and click send.


Then it ask the user it and the password since giving that we can take the Access-token. Using access token we can access the resources.


make the resource request to the resource server. that HTTP GET request header should have token type and value.Give your URL and make it as getting request and add a header as Authorization and make it as value Barer 'Access Token'.
Now You will get the requested resources from resources server. change the id to view all resources.
sample request


Yuu can get the code to click here


Comments

Popular posts from this blog

How to hack windows 2000 using nessus.....

Crypt-analysis

OpenID Connect Introduction