Overview

OAuth Explained

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

Authorization Grant

An authorization grant is a credential, presented to the authorization server in exchange for an access token which represents the resource owner’s authorization to access a resource. There are 3 types of authorization grants supported by Penn State’s OAuth Server.

From the OAuth2 Spec:

An authorization grant is a credential representing the resource owner’s authorization (to access its protected resources) used by the client to obtain an access token.

The original OAuth2 specification defines 4 grantTypes, and the ability to extend the spec to provide additional grantTypes. The OAuth2 Assertion framework defines 2 additional grantTypes: SAML and JWT. The JWT assertion type is supported in this implementation.

Grant Types: * Authorization Code * Implicit * Client Credentials * Password * JWT Assertions * SAML Assertions (Not Supported)

Request

POST /oauth/api/token HTTP/1.1
Host: dev.apps.psu.edu
Accept: application/json
Cache-Control: no-cache
Postman-Token: 12aab471-73b0-0744-d70c-b12703eb21b7
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=d3vQhjw4Ve2eJgZYTU7gEtTdRNAU6WRh&client_secret=PM2Yscn3ojFb2jOxhvatRpBZEqh8lTYb

{
  "access_token": "ff9e9ee865b454fb440f101b01082fde",
  "refresh_token": "d21a8ecb0535a3ef8d60aa02d83ac191",
  "scope": "",
  "token_type": "Bearer",
  "expires_in": 3599
}