Below are the steps to do revoke your JWT access token: When you do log in, send 2 tokens (Access token, Refresh token) in response to the client. The access token will have less expiry time and Refresh will have long expiry time. The client (Front end) will store refresh token in his local storage … Read more
Here are my thoughts: The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server. On the other side, implicit grant flow is for clients that are implemented entirely using javascript and are running in resource owner’s browser. … Read more
Background: I’ve written client and server stacks for OAuth 1.0a and 2.0. Both OAuth 1.0a & 2.0 support two-legged authentication, where a server is assured of a user’s identity, and three-legged authentication, where a server is assured by a content provider of the user’s identity. Three-legged authentication is where authorization requests and access tokens come … Read more
tl;dr: This is all because of security reasons. OAuth 2.0 wanted to meet these two criteria: You want to allow developers to use non-HTTPS redirect URI because not all developers have an SSL enabled server and if they do it’s not always properly configured (non-self signed, trusted SSL certificates, synchronised server clock…). You don’t want … Read more
TL;DR If you have very simple scenarios, like a single client application, a single API then it might not pay off to go OAuth 2.0, on the other hand, lots of different clients (browser-based, native mobile, server-side, etc) then sticking to OAuth 2.0 rules might make it more manageable than trying to roll your own … Read more
The redirect URI (where the response is returned to) has to be registered in the APIs console, and the error is indicating that you haven’t done that, or haven’t done it correctly. Go to the console for your project and look under API Access. You should see your client ID & client secret there, along … Read more
How OAuth 2.0 works in real life: I was driving by Olaf’s bakery on my way to work when I saw the most delicious donut in the window — I mean, the thing was dripping chocolatey goodness. So I went inside and demanded “I must have that donut!”. He said “sure that will be $30.” … Read more
Eran Hammer-Lahav has done an excellent job in explaining the majority of the differences in his article Introducing OAuth 2.0. To summarize, here are the key differences: More OAuth Flows to allow better support for non-browser based applications. This is a main criticism against OAuth from client applications that were not browser based. For example, … Read more
The link to discussion, provided by Catchdave, has another valid point (original, dead link) made by Dick Hardt, which I believe is worth to be mentioned here in addition to what’s been written above: My recollection of refresh tokens was for security and revocation. <…> revocation: if the access token is self contained, authorization can … Read more