[OAuth] Resource Owner != Client User

Date: : OAuth

I have been preaching this numerous time, but let me do it once more.

There seems to be a very common misperception that in OAuth that the Resource Owner (the entity who gives permission for the resource access, aka “authorization”) and the client user at the resource access time is the same. It is plainly wrong.

In OAuth, there are two distinctive phases.

  • phase 1: Permission Phase
  • phase 2: Resource Access Phase

Permission Phase gets the access token to the (OAuth) client, while in Resource Access Phase, the client uses the access token to access the resource.

In “phase 1: Permission Phase”, typically, the Resource Owner delivers access token to the client directly (e.g., implicit flow) or indirectly (e.g., code flow). The Resource Owner will be both at the authorization endpoint and the client’s redirection endpoint.

In “phase 2: Resource Access Phase”, the client accesses the protected resource using the access token. Many people seem to think that this client as “Alice” the resource owner. This is not correct. It could be anybody who controls the client. If  and only if the client is used exclusively by Alice the resource owner, then we can safely assume that the user of the client is Alice. This is generally not true, especially when the client is a web service.

It is better to think of OAuth as Alice to Bob information sharing, where Bob is the controller/user of the client at the Resource Access Phase. There can be cases that Alice == Bob, but that is an exception.

Ads by Google



Identity, Authentication + OAuth = OpenID Connect

Read more

no image

Alice to Bob resource sharing

So I was in UMA call today and that reminded me of

Read more

no image

Hyperlinked OAuth

I just published a new I-D on the hyperlinked oaut

Read more

OpenID Connect on OAuth Logo

OpenID Connect Stripped down to just “Authentication” (aka OAuth Authentication)

So, OpenID Connect provides a lot of advanced faci

Read more

The identity layer

OpenID Connect is here! – An Identity Layer on the internet

Celebrate! OpenID Connect 1.0 Final is here! Aft

Read more

Turning Internet Dog into Pavlov's Dog - based on IIW dog.

Explicit Consent – Turning Internet Dog into Pavlov’s Dog

People like me who is working on internet identity

Read more

OpenID Connect on OAuth Logo

Write an OpenID Connect server in three simple steps

An OpenID Connect server is just an OAuth 2.0 serv

Read more


Registered Token Profile for OAuth 2.0

So, ID Token in OpenID connect is audience restric

Read more

no image

Re: Limitations of the OAuth 2.0 definition of “Client”

Thomas Hardjono has a very good blog entry <<

Read more

no image

Covert Redirect is not new but.. A risk analysis and recommendations

So, there has been a flurry of worries induced by

Read more

Ads by Google

Ads by Google

no image
Making a Javascript OpenID Connect Client in 4 steps

When John, Breno, and I started the

Sato no aki
Autumn Greetings from Japan

Japan is now fully in Autumn. Leave

draft 02 of OpenID 2.0 to Connect Migration is now available

OpenID 2.0 to OpenID Connect Migrat

Public Review of UMA 0.9 is going on

June 24: The three main UMA Version

CCS Injection
New vulnerability on OpenSSL found

A new bug in OpenSSL was found by M