OAuth2 Spec. – 1.2. Protocol Flow

https://tools.ietf.org/html/rfc6749#section-1.2

1.2. Protocol Flow protocol의 흐름

+——–+ +—————+

–(A)- Authorization Request ->

Resource

Owner

<-(B)– Authorization Grant —

+—————+

+—————+

–(C)– Authorization Grant –>

Authorization

Client

Server

<-(D)—– Access Token ——-

+—————+

+—————+

–(E)—– Access Token ——>

Resource

Server

<-(F)— Protected Resource —

+——–+ +—————+

Figure 1: Abstract Protocol Flow

The abstract OAuth 2.0 flow illustrated in Figure 1 describes the interaction between the four roles and includes the following steps: OAuth 2.0의 개념은 Figure 1과 같다.

(A) The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner (as shown), or preferably indirectly via the authorization server as an intermediary. client는 resource owner에게 인증을 요청한다. 인증 요청은 resource owner에게 직접 할 수도 있는데 보통 authorization server를 통해 간접적으로 한다.

(B) The client receives an authorization grant, which is a credential representing the resource owner’s authorization, expressed using one of four grant types defined in this specification or using an extension grant type. The authorization grant type depends on the method used by the client to request authorization and the types supported by the authorization server. client는 resource owner의 인증정보를 갖고있는 authorization grant를 받는다. 이 규격서에 네가지 grant type이 정의되어있다. client에서 알아서 골라쓰면되고 authorization server는 이 방법을 모두 지원한다. **라고 하지만 이 스펙을 온전히 지원하지 않는 경우가 많은 것 같다

(C) The client requests an access token by authenticating with the authorization server and presenting the authorization grant. client는 authorization grant를 에서 authorization server에게 access token요청을 보낸다.

(D) The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token. authorization server는 client를 인증하고 authorization grant를 검증한다. 맞으면 access token을 발행해준다.

(E) The client requests the protected resource from the resource server and authenticates by presenting the access token. client에서 resource server에 protected resource를 요청한다. 이 때, access token을 함께 보내서 인증을 처리한다.

(F) The resource server validates the access token, and if valid, serves the request. resource server에서 access token을 확인해서 처리.

The preferred method for the client to obtain an authorization grant from the resource owner (depicted in steps (A) and (B)) is to use the authorization server as an intermediary, which is illustrated in Figure 3 in Section 4.1. 위의 (A), (B)를 쓰는 방법보다 4.1에 나와있는 방법을 추천한다. * 위의 방법은 client에 계정정보가 노출됨.