</div>
<div id="container"><div id="contents"><div class="content">
-
-<h2 id="intro" name="intro">OAuth 2.0 Authentication</h2>
- <p>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service,either on behalf of a resource owner by orchestrating <br/>an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.</p>
- <p>This specification is define in <a href="http://tools.ietf.org/html/rfc6749" target="_blank">[RFC 6749]</a> and it builds on the OAuth 1.0 <a href="http://tools.ietf.org/html/rfc5849" target="_blank">[RFC 5849]</a> deployment experience, as well as additional use cases and extensibility <br/>requirements gathered from the wider IETF community. The OAuth 2.0 protocol is not backward compatible with OAuth 1.0.</p>
-
-<h2 id="grant" name="grant">Authorization Grant</h2>
- <p>An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token. <br/>This specification defines four grant types -- authorization code, implicit, resource owner password credentials, and client credentials -- as well as <br/>an extensibility mechanism for defining additional types.</p>
-
- <h3 id="code" name="code">Authorization Code</h3>
- <p>The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. Instead of requesting authorization directly <br/>from the resource owner, the client directs the resource owner to an authorization server, which in turn directs the resource owner back to the <br/>client with the authorization code.</p>
- <p>The authorization code provides a few important security benefits, such as the ability to authenticate the client, as well as the transmission of the access token directly to the <br/>client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner.</p>
+<h1 id="intro" name="intro">OAuth 2.0 Authentication</h1>
+ <p>The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service,either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.</p>
+ <p style="text-align:center;"><img alt="Protocol Flow" src="../../images/protocol_flow.png" /></p>
+ <p class="figure">Figure: Protocol Flow</p>
+ <p>This specification is define in <a href="http://tools.ietf.org/html/rfc6749" target="_blank">[RFC 6749]</a> and it builds on the OAuth 1.0 <a href="http://tools.ietf.org/html/rfc5849" target="_blank">[RFC 5849]</a> deployment experience, as well as additional use cases and extensibility requirements gathered from the wider IETF community. The OAuth 2.0 protocol is not backward compatible with OAuth 1.0.</p>
+
+<h2 id="grant" name="grant">Authorization Grant</h2>
+ <p>An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token. This specification defines four grant types -- authorization code, implicit, resource owner password credentials, and client credentials -- as well as an extensibility mechanism for defining additional types.</p>
- <p>To request the authorization code, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#req_code">Requesting Authorization Code</a>.</p>
+ <h3 id="code" name="code">Authorization Code</h3>
+ <p>The authorization code is obtained by using an authorization server as an intermediary between the client and resource owner. Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server, which in turn directs the resource owner back to the client with the authorization code.</p>
+ <p>The authorization code provides a few important security benefits, such as the ability to authenticate the client, as well as the transmission of the access token directly to the client without passing it through the resource owner's user-agent and potentially exposing it to others, including the resource owner.</p>
+ <p style="text-align:center;"><img alt="Authorization Code Flow" src="../../images/auth_code.png" /></p>
+ <p class="figure">Figure: Authorization Code Flow</p>
+ <p>To request the authorization code, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#req_code">Requesting Authorization Code</a>.</p>
<h3 id="imp" name="imp">Implicit</h3>
- <p>In the implicit flow, the client is issued an access token directly (as the result of the resource owner authorization). The grant type is implicit, as no intermediate <br/>credentials (such as an authorization code) are issued.</p>
-
- <p>Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of <br/>round trips required to obtain an access token.</p>
+ <p>In the implicit flow, the client is issued an access token directly (as the result of the resource owner authorization). The grant type is implicit, as no intermediate credentials (such as an authorization code) are issued.</p>
+ <p>Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token.</p>
+ <p style="text-align:center;"><img alt="Implicit Grant Flow" src="../../images/implicit.png" /></p>
+ <p class="figure">Figure: Implicit Grant Flow</p>
+ <p>To request the access token for implicit grant type, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#direct_token">Requesting access token directly</a>.</p>
- <p>To request the access token for implicit grant type, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#direct_token">Requesting access token directly</a>.</p>
-
<h3 id="res_owner" name="res_owner">Resource Owner Password Credentials</h3>
<p>The resource owner password credentials (i.e., username and password) can be used directly as an authorization grant to obtain an access token.</p>
+ <p>Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a long-lived access token or refresh token.</p>
+ <p style="text-align:center;"><img alt="Resource Owner Password Credentials Flow" src="../../images/password.png" /></p>
+ <p class="figure">Figure: Resource Owner Password Credentials Flow</p>
+ <p>To request the access token for resource owner grant type, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#direct_token">Requesting access token directly</a>.</p>
- <p>Even though this grant type requires direct client access to the resource owner credentials, the resource owner credentials are used for a single request and are exchanged <br/>for an access token. This grant type can eliminate the need for the client to store the resource owner credentials for future use, by exchanging the credentials with a <br/>long-lived access token or refresh token.</p>
-
- <p>To request the access token for resource owner grant type, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#direct_token">Requesting access token directly</a>.</p>
-
<h3 id="client_cred" name="client_cred">Client Credentials</h3>
- <p>The client credentials can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the client, or to protected <br/>resources previously arranged with the authorization server. Client credentials are used as an authorization grant typically when the client is acting on its own behalf (the <br/>client is also the resource owner) or is requesting access to protected resources based on an authorization previously arranged with the authorization server.</p>
+ <p>The client credentials can be used as an authorization grant when the authorization scope is limited to the protected resources under the control of the client, or to protected resources previously arranged with the authorization server. Client credentials are used as an authorization grant typically when the client is acting on its own behalf (the client is also the resource owner) or is requesting access to protected resources based on an authorization previously arranged with the authorization server.</p>
+ <p style="text-align:center;"><img alt="Client Credentials Flow" src="../../images/client_credentials.png" /></p>
+ <p class="figure">Figure: Client Credentials Flow</p>
+ <p>To request the access token for client credentials grant type, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#direct_token">Requesting access token directly</a>.</p>
- <p>To request the access token for client credentials grant type, use the API as shown in <a href="../../../../org.tizen.tutorials/html/native/oauth2/oauth2_tutorials_n.htm#direct_token">Requesting access token directly</a>.</p>
-
- <script type="text/javascript" src="../../scripts/jquery.zclip.min.js"></script>
+<script type="text/javascript" src="../../scripts/jquery.zclip.min.js"></script>
<script type="text/javascript" src="../../scripts/showhide.js"></script>
</div></div></div>
projects / sdk / online-doc.git / commitdiff
