[OAuth] Resource Owner != Client User

Date: : OAuth

I have been preaching this numerous time, but let me do it once more.

There seems to be a very common misperception that in OAuth that the Resource Owner (the entity who gives permission for the resource access, aka “authorization”) and the client user at the resource access time is the same. It is plainly wrong.

In OAuth, there are two distinctive phases.

  • phase 1: Permission Phase
  • phase 2: Resource Access Phase

Permission Phase gets the access token to the (OAuth) client, while in Resource Access Phase, the client uses the access token to access the resource.

In “phase 1: Permission Phase”, typically, the Resource Owner delivers access token to the client directly (e.g., implicit flow) or indirectly (e.g., code flow). The Resource Owner will be both at the authorization endpoint and the client’s redirection endpoint.

In “phase 2: Resource Access Phase”, the client accesses the protected resource using the access token. Many people seem to think that this client as “Alice” the resource owner. This is not correct. It could be anybody who controls the client. If  and only if the client is used exclusively by Alice the resource owner, then we can safely assume that the user of the client is Alice. This is generally not true, especially when the client is a web service.

It is better to think of OAuth as Alice to Bob information sharing, where Bob is the controller/user of the client at the Resource Access Phase. There can be cases that Alice == Bob, but that is an exception.

Ads by Google


Ads by Google

Ads by Google

Screen Shot 2015-06-18 at 23.47.23
On the XARA vulnerability on MacOS X and iOS

Just came across this article: Appl

no image
Apple’s answer to the in-secure use of in-app browser? — iOS 9 introduces SFSafariViewController

Apple forcing developpers to use in

JWS, JWT, and others now RFC!

It has taken soooo long , but JSON

Review Comments for draft-ietf-oauth-proof-of-possession-02

Proof-Of-Possession Semantics for J

Merry Christmas 2014
Seasons Greetings 2014

Seasons greetings video as a replac