rest - Understanding OAuth2 flow -


i'm developing android app consumes rest service uses oauth protocol. in first activity, app shows login screen. flow:

1) user puts username , password.

2) app makes request rest service, providing username , password.

3) rest service check credentials , if correct, ask access_token oauth2 provider server.

4) rest service answers app providing access_token , refresh_token

5) in next requests rest server (to data people, articles...) app provide access_token , refresh_token.

6) when rest service process request, validate access_token (using token info endpoint of oauth server).

7) if access_token correct , has not expired, rest service return data app asking for.

when rest service detects access_token has expired, asks using refresh_roken.

now, questions:

when rest service retrieve new access_token after old 1 expires, has rest service send app in response?

if so, has app check, in each request/response, if new new access_token has been sent rest service?

i don't know if i'm in right way, i'm trying understand flow.

thanks.

assuming there's no browser involved , app (aka. client) uses called resource owner password credentials grant, flow is:

  1. the user (aka. resource owner) provides his/her username , password client

  2. the client makes token request authorization server, providing username , password

  3. the authorization server checks credentials , if correct, provides access token , optionally refresh token client in response

  4. in requests rest server (to data people, articles...) client provide access token

  5. when rest service process request, validate access token calling token validation endpoint of authorization server or validating token locally (e.g. if access token jwt).

  6. if access token correct, has not expired , has right permissions (aka. "scopes"), rest service return data client asking for

  7. when client detects access_token has expired (e.g. because rest server returns error), asks authorization server access token using refresh token using so-called refresh token grant/flow


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -