I'm under the impression that OAuth is for authentication between three parties. Does it make sense to implement OAuth in a context where there is just a client and server.
We have a server, and a client (HTML/javascript). Currently we authenticate via the normal "post credentials to server, get a cookie, use cookie to authenticate all subsequent requests" method. Will implementing OAuth be a benefit in this situation?
-
I'd go with OpenID under these circumstances.Gary– Gary2013年01月30日 17:03:49 +00:00Commented Jan 30, 2013 at 17:03
-
@GaryRowe: OpenID is simpler, but the basic structure that one service uses identity proven by another service remains.Jan Hudec– Jan Hudec2014年05月28日 11:42:07 +00:00Commented May 28, 2014 at 11:42
1 Answer 1
Oauth supports different Grant Types for the differing communications you're asking about.
Here is an example in a PHP library , of a different grant type or two:
Client Credentials Grant Type Trusted Clients and UnTrusted Clients
The Client Credentials grant type is used when the client is requesting access to protected resources under its control (i.e. there is no third party).
# using HTTP Basic Authentication
$ curl -u TestClient:TestSecret https://api.mysite.com/token -d 'grant_type=client_credentials'
# using POST Body
$ curl https://api.mysite.com/token -d 'grant_type=client_credentials&client_id=TestClient&client_secret=TestSecret'
You'd get back an access token (like your cookie) and use that on all subsequent calls.
Implicit Grant Type
The Implicit grant type is similar to the Authorization Code grant type in that it is used to request access to protected resources on behalf of another user (i.e. a 3rd party). It is optimized for public clients, such as those implemented in javascript or on mobile devices, where client credentials cannot be stored.
https://api.mysite.com/authorize?response_type=token&client_id=TestClient&redirect_uri=https://myredirecturi.com/cb
Source : http://bshaffer.github.io/oauth2-server-php-docs/grant-types/client-credentials/