OAuth 2.0 framework

-

OAuth Authorization Server and an OAuth Resource Server

What is OAuth?

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

OAuth 2.0 - OAuth 2.0 is not backwards compatible with OAuth 1.0. OAuth 2.0 provides specific authorization flows for web applications, desktop applications, mobile phones, and smart devices. The specification and associated RFCs are developed by the IETF OAuth WG the main framework was published in October 2012.

There are four types of roles in OAuth,
  1. Client
  2. Resource Owner(User)
  3. Resource Server
  4. Authentication Server
The OAuth 2.0 framework specifies several grant types for different use cases, as well as a framework for creating new grant types.
  1. Authorization Code Grant Type - The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.
  2. Implicit grant type - The Implicit grant type is a simplified flow that can be used by public clients, where the access token is returned immediately without an extra authorization code exchange step.
  3. Password grant type - The Password grant type is used by first-party clients to exchange a user's credentials for an access token.
  4. Refresh Token grant type - The Refresh Token grant type is used by clients to exchange a refresh token for an access token when the access token has expired.

In this blog post, we are going present how to do some actions with OAuth 2.0 token

This implementation contains,
  • Send a request to the OAuth authorization server website for obtaining the access token.
  • Once the OAuth access token is received, invoke the resource server APIs and obtain the protected resources or perform the particular action.
For an example we are going to develop a web application to upload files to google drive.

Let's see this source code....

This has implement using Angular CLI

  • Here is the code to redirect to Google sign in page and get a access token

We can get a access token by using above code. In this scenario, we have get the token and save it in a cookie.

Here we have to add extra scope to get access to Google Drive.

Scope URL - https://www.googleapis.com/auth/drive.file

After add the scope in the code we have to add the same scope URL in the Credential as well.



We have to click Add scope button and enter above mention URL and submit it.

  • Here is the code to upload a file to Google Drive.



By click Upload button user can upload a file to Google Drive. In upload.component.ts get the uploaded file and set as a Blob file. And also we can set a filename, mimeType at Google Drive. Before upload a file into Drive we have to create a folder manually and set the folder id in parents field. Then we have to set the authorization header. For authorization header we have to pass the access token that we have previously receive. 

POST : https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart


Here is the link to clone source code through the GitHub












Comments

Post a Comment

Popular posts from this blog

CSRF Token-Synchronizer Token Patterns

-
Image
Cross-site Request Forgery Protection in web applications via Synchronizer Token Patterns What is Cross-site Request Forgery Protection(CSRF)? This is a kind of attack and type of a malicious exploit of a website. We also name this attack as the one-click attack or session riding. This forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This attack is mainly focusing on state-changing request, not theft data. As an example, if the user 'A' wants to transfer the 200$ to the bank 'B'.He needs to send a request to the bank 'B' and bank will send the response by authenticating user 'A'.There is an attacker he/she needs to fraud this money form user 'A'.what the attacker can do is he will create a malicious web link and send it to the user by forcing to click that link . while the user clicks the link for the transferring purpose but the thing is attacker was transferring the mon...
Read more

CSRF token - Double Submit Cookies Pattern

-
Image
Cross-site Request Forgery Protection in web applications via  Double Submit Cookies Pattern What is Cross-site Request Forgery Protection(CSRF)? This is a kind of attack and type of a malicious exploit of a website. We also name this attack as the one-click attack or session riding. This forces an end user to execute unwanted actions on a web application in which they're currently authenticated. This attack is mainly focusing on state-changing request, not theft data. As an example, if the user 'A' wants to transfer the 200$ to the bank 'B'.He needs to send a request to the bank 'B' and bank will send the response by authenticating user 'A'.There is an attacker he/she needs to fraud this money form user 'A'.what the attacker can do is he will create a malicious web link and send it to the user by forcing to click that link . while the user clicks the link for the transferring purpose but the thing is attacker was transferring th...
Read more

Cloud Computing

-
Image
Cloud Computing What is Cloud Computing In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer's hard drive. The cloud is just a metaphor for the Internet. It goes back to the days of flowcharts and presentations that would represent the gigantic server-farm infrastructure of the Internet as nothing but a puffy, white cumulus cloud, accepting connections and doling out information as it floats. Usage of Cloud Computing 1. Infrastructure as a service (IaaS) and platform as a service (PaaS)   When it comes to IaaS, using an existing infrastructure on a pay-per-use scheme seems to be an obvious choice for companies saving on the cost of investing to acquire, manage and maintain an IT infrastructure. There are also instances where organizations turn to PaaS for the same reasons while also seeking to increase the speed of development on a ready-to-use platform to deploy applications. 2. Priva...
Read more