Stack Overflow
Stack Overflow

Questions tagged [rfc6749]

The OAuth 2.0 Authorization Framework

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.

link: https://datatracker.ietf.org/doc/rfc6749/

15 questions
16
votes
3 answers

Why is redirect_uri required on Access Token request?

I'm developing an oauth2 provider based on rfc6749 and I'm wondering, why is redirect_uri required on the Access Token Request? The /token endpoint is not redirecting and the state is assumed to be already validated (i.e. against CSRF) so a copy of…
themihai
  • 7,903
  • 11
  • 39
  • 61
12
votes
1 answer

What's the difference between unauthorized_client and access_denied

I'm reading the oauth2 specs and I'm confused by unauthorized_client and access_denied error codes. They seem to express the same error condition, isn't it? At first glance(by error code) I thought one is for authentication failure and the other for…
themihai
  • 7,903
  • 11
  • 39
  • 61
9
votes
2 answers

Should dynamic query parameters be present in the Redirection URI for an OAuth2 (Autorization Code Grant Type)

Sources such as this Okta sponsored site (see "Per-Request Customization" section) mention that the redirect_uri parameter of a autorization request SHOULD NEVER have a dynamic query part (ex: for session matching uses). Quote: The server should…
GhislainCote
  • 1,502
  • 11
  • 18
8
votes
3 answers

What is the meaning of scope = scope-token *( SP scope-token ) scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) in RFC6749 about OAuth2

What is the meaning of scope = scope-token *( SP scope-token ) scope-token = 1*( %x21 / %x23-5B / %x5D-7E ) in RFC6749 3.3. Access Token Scope?
Boreas320
  • 850
  • 9
  • 14
5
votes
1 answer

Purpose of redirect_uri parameter when exchanging code for access token

The RFC for Oauth2 says the redirect_uri which was specified when generating the authorization code must be included in the request to exchanging the code for an access token. From the RFC: 4.1.3. Access Token Request The client makes a request…
kubasub
  • 455
  • 1
  • 5
  • 12
2
votes
3 answers

What is the OAuth flow to generate access token without consent from resource owner?

Roles and terminology used in this question are the same as RFC 6749. Description of the use-case I want to allow a trusted OAuth client to ask authorization server to issue an access token on behalf of the resource owner without his consent (and…
Raphael Medaer
  • 2,528
  • 12
  • 18
1
vote
1 answer

OAuth 2.0 RFC 6749 Content-Type application/json is compliant with Spec?

I have an app which is OAuth2.0 and RFC 6749 compliant. I need to extend the behaviour now such that a new RP will invoke my /auth endpoint and it is expecting a response containing my auth_ref, hence I thought instead of the default…
cyberjar09
  • 770
  • 1
  • 7
  • 18
1
vote
0 answers

Web App Client using ImplicitAccessTokenProvider from Spring Security OAuth2

I am writing an OAuth 2.0 client application and I am trying to use ImplicitAccessTokenProvider. But the problem is that this class allows for access token request by sending POST request to /oauth/token Authorization Server's endpoint. For my…
aeloy
  • 144
  • 1
  • 8
1
vote
0 answers

RFC 6749 Authentication with ServiceStack

It looks like ServiceStack only accepts session-based authentication. I was reading through https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization and I couldn't find anything describing how to do what I want. I also…
user1477388
  • 20,790
  • 32
  • 144
  • 264
0
votes
1 answer

In OAuth2 with PKCE, what is the purpose of the client_id and client registration?

rfc6749 says, "Before initiating the protocol, the client registers with the authorization server". It describes the client_id as REQUIRED. It gives some hints towards why this is the case, but leaves open questions (to me). It is also unclear to…
Martin Geisse
  • 1,189
  • 1
  • 9
  • 22
0
votes
1 answer

Will PKCE implementation resolve problem with dynamic redirect_uri Oauth 2.0 (Code Grant Flow)

I`d like to use redirect_uri as a dynamic parameter in Code Grant but I know that the redirect_uri must be static for security reasons. If I implement PKCE flow and leave validating of the client_secret parameter, will using dynamic redirect_uri be…
annd
  • 77
  • 6
0
votes
1 answer

OAuth2.0 authorization with multiple resource owner identities

This question is about the interpretation of OAuth2.0 framework RFC 6749 §3.1 specifically the phrase: The authorization server MUST first verify the identity of the resource owner. The way in which the authorization server authenticates the…
Morten Frederiksen
  • 1
0
votes
1 answer

Return current valid access token instead of new access token when refresh

I'm implementing oauth2 authorization server. When consuming oauth2 exchange refresh token to access token (rfc6749), my client - a mobile app having trouble in implementing interceptor (because of many reason). As before that my client perform…
Đức Nguyễn
  • 606
  • 3
  • 9
  • 19
0
votes
1 answer

RFC6749 OAuth 2.0 can have multiple authorization endpoints?

I was reading the OAuth 2.0 RFC 6749. In section: (Protocol Endpoints)[https://www.rfc-editor.org/rfc/rfc6749#section-3] it mentions that the Authorization server needs an authorization endpoint. In the application I am building, there is a need for…
cyberjar09
  • 770
  • 1
  • 7
  • 18
0
votes
1 answer

rfc6749 4.3 - Resource Owner to Auth Server direct communication?

Background I'm building an spa and mobile app that will communicate with a rest api. I'd like to run a separate auth server to manage users (resource owners) and think the oAuth2 4.3 Resource Owner Password Credentials grant makes sense for my…
Adam
  • 3,142
  • 4
  • 29
  • 48