*

[OAuth] Resource Owner != Client User

Date: : OAuth

I have been preaching this numerous time, but let me do it once more.

There seems to be a very common misperception that in OAuth that the Resource Owner (the entity who gives permission for the resource access, aka “authorization”) and the client user at the resource access time is the same. It is plainly wrong.

In OAuth, there are two distinctive phases.

  • phase 1: Permission Phase
  • phase 2: Resource Access Phase

Permission Phase gets the access token to the (OAuth) client, while in Resource Access Phase, the client uses the access token to access the resource.

In “phase 1: Permission Phase”, typically, the Resource Owner delivers access token to the client directly (e.g., implicit flow) or indirectly (e.g., code flow). The Resource Owner will be both at the authorization endpoint and the client’s redirection endpoint.

In “phase 2: Resource Access Phase”, the client accesses the protected resource using the access token. Many people seem to think that this client as “Alice” the resource owner. This is not correct. It could be anybody who controls the client. If  and only if the client is used exclusively by Alice the resource owner, then we can safely assume that the user of the client is Alice. This is generally not true, especially when the client is a web service.

It is better to think of OAuth as Alice to Bob information sharing, where Bob is the controller/user of the client at the Resource Access Phase. There can be cases that Alice == Bob, but that is an exception.

Ads by Google

関連記事

The identity layer

OpenID Connect is here! – An Identity Layer on the internet

Celebrate! OpenID Connect 1.0 Final is here! Aft

Read more

Turning Internet Dog into Pavlov's Dog - based on IIW dog.

Explicit Consent – Turning Internet Dog into Pavlov’s Dog

People like me who is working on internet identity

Read more

no image

Hyperlinked OAuth

I just published a new I-D on the hyperlinked oaut

Read more

no image

Alice to Bob resource sharing

So I was in UMA call today and that reminded me of

Read more

OpenID Connect on OAuth Logo

Write an OpenID Connect server in three simple steps

An OpenID Connect server is just an OAuth 2.0 serv

Read more

oauth-2-sm

Registered Token Profile for OAuth 2.0

So, ID Token in OpenID connect is audience restric

Read more

no image

Re: Limitations of the OAuth 2.0 definition of “Client”

Thomas Hardjono has a very good blog entry <<

Read more

2def4bd67d2aac4711b2e2dd6dc518b5-150x150

Identity, Authentication + OAuth = OpenID Connect

Read more

Ads by Google

Ads by Google

The identity layer
OpenID Connect is here! – An Identity Layer on the internet

Celebrate! OpenID Connect 1.0 Fina

dt
Identity Management TechDay

Invitation to the Ide

openid-icon-250x250
Guidance on which grant / flow to use for OpenID Connect

Many people seem to ask for the gui

OpenID Connect on OAuth Logo
Refactoring OpenID Connect Drafts

After the Berlin OpenID AB/C WG F2F

no image
What to read when you want to build OpenID Connect

OpenID Connect has many components.

more...

PAGE TOP ↑