15

I am doing an in-depth study of Spring OAuth, and I found some conflicting information.

Specifically, this tutorial states that the /oauth/token endpoint handles the username and password before granting a refresh token to the client app. By contrast, the Spring OAuth Developer Guide mentions the /oauth/authorize and /oauth/token endpoints, but yet does not get specific about how they work.

Does the /oauth/authorize do 100% of the username/password/nOtherFactors check and then signal the /oauth/token endpoint to send a refresh token to the client, so that the client then sends the refresh token to the /oauth/token endpoint?

Or is all of it handled by the /oauth/token endpoint?

Is the relationship between /oauth/authorize and /oauth/token different for different grant types? How?

halfer
  • 19,824
  • 17
  • 99
  • 186
CodeMed
  • 9,527
  • 70
  • 212
  • 364
  • I have removed two images from this, where the image host has died. If you can get those images again, please put them them on the official CDN. – halfer Feb 06 '19 at 22:16

1 Answers1

22

Per the OAuth 2.0 specification the authorize and token endpoints have different purposes.

Authorization endpoint is where the resource owner (user) logs in and grants authorization to the client (ex: web application running in the browser or an app running on a mobile device). This is typically used in scenarios where the resource owner's user agent (ex: browser) is redirected to the identity server (authorization server) for authentication. The resource owner's user agent will have direct access to the access token.

Token endpoint is where the client (ex: Server side API or mobile app) calls to exchange the Authorization Code, Client Id and Client Secret for an access token. In this scenario, the user agent is provided with an Authorization code only, no direct access to the access token. The client is a trusted party with access to client Id and Client secret from the authorization server (That is why I mentioned Server side API as the client).

Please read this article that has even better explanation.

halfer
  • 19,824
  • 17
  • 99
  • 186
Soma Yarlagadda
  • 2,875
  • 3
  • 15
  • 37
  • Thank you and +1 for providing an explanation with a link. Lemme look into it a little further when I have time. I am curious to find out whether the answer to this OP is different for different grant types. However, I do not expect you to write a dissertation about it. – CodeMed May 02 '16 at 16:29
  • Excellent! I know this answer is already slightly older, but thanks for the short explanation! Especially if one uses Spring Security 5 + OAuth2Client, one gets a ton of endpoints *just like that* - which makes an application based on those libraries harder to understand and customize. – Igor Mar 12 '20 at 00:07