The list of scopes is up to the service to decide for itself. The OAuth 2.0 spec does not define any scopes itself, nor is there a central registry of scopes. The server is responsible for denying the request if the scopes in the access token do not include the required scope to perform the designated action. The resource server needs to know the list of scopes that are associated with the access token. The token introspection endpoint is intended to be used only internally, so you will want to protect it with some internal authorization, or only enable it on a server within the firewall of the system. This is a good way to handle verifying access tokens across a large number of resource servers, since it means you can encapsulate all of the logic of access tokens in a single server, exposing the information via an API to other parts of the system. If your tokens are stored in a database, then verifying the token is simply a database lookup on the token table.Īnother option is to use the Token Introspection spec to build an API to verify access tokens. If you’re using self-encoded access tokens, then verifying the tokens can be done entirely in the resource server without interacting with a database or external servers. The resource server needs to be able to verify the access token to determine whether to process the request, and find the associated user account, etc. The resource server will be getting requests from applications with an HTTP Authorization header containing an access token. Smaller deployments typically have only one resource server, and is often built as part of the same code base or same deployment as the authorization server. Each of these resource servers are distinctly separate, but they all share the same authorization server. Google’s services, for example, have dozens of resource servers, such as the Google Cloud platform, Google Maps, Google Drive, Youtube, Google+, and many others. Large scale deployments may have more than one resource server. The resource server handles authenticated requests after the application has obtained an access token. The resource server is the OAuth 2.0 term for your API server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |