Short answer JWTs are a convenient way to encode and verify claims. A Bearer token is just string, potentially arbitrary, that is used for authorization. Context (story time) A few years ago, before the JWT revolution, a <token> was just a string with no intrinsic meaning, e.g. 2pWS6RQmdZpE0TQ93X. That token was then looked-up in a … Read more
Update October 2016: Easiest now: use lvh.me which always points to 127.0.0.1, but make sure to verify that this is still true every time you need to invoke it (because domains can expire or get taken over, and DNS poisoning is always a concern) Previous Answer: Since the callback request is issued by the browser, … Read more
This is very much implementation specific, but the general idea is to allow providers to issue short term access tokens with long term refresh tokens. Why? Many providers support bearer tokens which are very weak security-wise. By making them short-lived and requiring refresh, they limit the time an attacker can abuse a stolen token. Large … Read more
A previous answer only mentioned SSL in the context of data transfer and didn’t actually cover authentication. You’re really asking about securely authenticating REST API clients. Unless you’re using TLS client authentication, SSL alone is NOT a viable authentication mechanism for a REST API. SSL without client authc only authenticates the server, which is irrelevant … Read more
Bearer Token A security token with the property that any party in possession of the token (a “bearer”) can use the token in any way that any other party in possession of it can. Using a bearer token does not require a bearer to prove possession of cryptographic key material (proof-of-possession). The Bearer Token is … Read more
Come on guys 🙂 We could do it simpler, by examples: /this-is-an-endpoint /another/endpoint /some/other/endpoint /login /accounts /cart/items and when put under a domain, it would look like: https://example.com/this-is-an-endpoint https://example.com/another/endpoint https://example.com/some/other/endpoint https://example.com/login https://example.com/accounts https://example.com/cart/items Can be either http or https, we use https in the example. Also endpoint can be different for different HTTP methods, for … Read more
Here are my thoughts: The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server. On the other side, implicit grant flow is for clients that are implemented entirely using javascript and are running in resource owner’s browser. … Read more
Background: I’ve written client and server stacks for OAuth 1.0a and 2.0. Both OAuth 1.0a & 2.0 support two-legged authentication, where a server is assured of a user’s identity, and three-legged authentication, where a server is assured by a content provider of the user’s identity. Three-legged authentication is where authorization requests and access tokens come … Read more
In case someone comes across this and is looking for these settings (like I was) You have to On the left hand side, click “+Add Product” and select “Facebook Login” (it was at the top for me) See the new settings available on the left hand side You will now have these OAuth settings on … Read more
tl;dr: This is all because of security reasons. OAuth 2.0 wanted to meet these two criteria: You want to allow developers to use non-HTTPS redirect URI because not all developers have an SSL enabled server and if they do it’s not always properly configured (non-self signed, trusted SSL certificates, synchronised server clock…). You don’t want … Read more