About OAuth 2.0 - SSO

About OAuth 2.0

OAuth 2.0 is an authorization protocol that is widely used for accessing social media user information and hence allows SSO Server to identify users based on their social media accounts, given that said user authorizes this.

OAuth 2.0 is described in RFC-6749. OAuth 2.0 defines a process for accessing user information from a Resource Server as authorized by the resource owner. In the scope of this document the resource owner is always an end-user. OAuth 2.0 leaves protocol implementation largely open, so these must be complemented by other specifications. In the case of implemented use cases the protocols are filled in by OpenID Connect Core 1.0 specification.

The Ubisecure OAuth 2.0 Client is implemented specifically to enable authentication for users of certain social media services and the protocols are implemented from this standpoint. All possible data interchange formats and protocols will not be supported for now, so it is required to parameterize certain resource servers to return information in the currently supported JSON format.


The OAuth 2.0 Authorization flow depicted proceeds, as follows:

  1. The OAuth 2.0 client (SSO Server) redirects the Resource Owner (or end-user) to authenticate in the Authorization Server's Authorization Endpoint.
  2. The Resource Owner authenticates and may to authorize the client to access his or her resources.
  3. The Resource Owner's user agent returns to the Client along with an authorization code, which the Client then uses to request an access token from the Authorization Server's Token Endpoint.
  4. If the Client's request is approved, the Token Endpoint returns an access token, which the Client then uses to access the Resource Owner's information from the Resource Server.

Terms and Definitions

TERM

DEFINITION

Client

RFC-6749: An application making protected resource requests on behalf of the resource owner and with its authorization. The term "client" does not imply any particular implementation characteristics (e.g, whether the application executes on a server, a desktop, or other devices).

Resource Owner

RFC-6749: An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.

Resource Server

RFC-6749: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.

Authorization Server

RFC-6749: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

Authorization Endpoint

RFC-6749: Used by the client to obtain authorization from the resource owner via user-agent redirection.

Token endpoint

RFC-6749: Used by the client to exchange an authorization grant for an access token, typically with client authentication.

Redirection Endpoint

RFC-6749: Used by the authorization server to return responses containing authorization credentials to the client via the resource owner user-agent.

UserInfo Endpoint

OpenID Connect: The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication. These Claims are represented as a JSON object that contains a collection of name and value pairs for the Claims.