DRAG DROP
If the client requests authorization from the resource owner, what are the remaining sequence of steps to authenticate a user using OAuth control?
Select and Place:
DRAG DROP
If the client requests authorization from the resource owner, what are the remaining sequence of steps to authenticate a user using OAuth control?
Select and Place:
It is not correct.
It should be:
The client receives an authorization grant, which is a credential representing the resource owner’s authorization to access its protected resources. It is used by the client to obtain an access token. Access tokens are credentials that are used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
The client requests an access token by authenticating with the authorization server and presenting the authorization grant.
The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token.
The client requests the protected resource from the resource server and authenticates by presenting the access token.
The resource server validates the access token, and if valid, serves the request
3 ,1, 5, 2, 4
ISM v4 page 710.
The illustration shows the steps involved in OAuth process as described in Request for Comments (RFC) 6749 published by Internet Engineering Task Force (IETF):
1. The client requests authorization from the resource owner. The authorization request can be made directly to the resource owner, or indirectly through the authorization server.
2. The client receives an authorization grant, which is a credential representing the resource owner’s authorization to access its protected resources. It is used by the client to obtain an access token. Access tokens are credentials that are used to access protected resources. An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.
3. The client requests an access token by authenticating with the authorization server and presenting the authorization grant.
4. The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token.
5. The client requests the protected resource from the resource server and authenticates by presenting the access token.
6. The resource server validates the access token, and if valid, serves the request.
Correct answer is: 2, 4 , 1, 5, 3
1. Client receives an authorization grant used by the client to obtain an access token
2. Client requests an access token by authenticating with the authorization server and presenting the authorization grant.
3. Authorization server authenticates the client and validates the authorization grant.
4. Client requests the protected resource from the resource server and authenticates by presenting the access token.
5. Resource server validates the access token, and if valid, serves the request
order based on 3,1,5,2,4
1. The client requests an access token by authenticating with the authorization server and presenting the
authorization grant
2. The client requests the protected resource from the resource server and authenticates by presenting the access
token
3. The client receives an authorization grant, which is a credential representing the resource owner’s authorization,
expressed using one of four grant types defined in this specification or using an extension grant type. The
authorization grant type depends on the method used by the client to request authorization and the types
supported by the authorization serve
4. The resource server validates the access token, and if valid, serves the request.
5. The authorization server authenticates the client and validates the authorization grant, and if valid, issues an
access token.
https://tools.ietf.org/html/rfc6749
A=Q – included in questions
B=3
C=1
D=5
E=2
F=4
answer: 3,1,5,2,4
(A)The client requests authorization from the resource owner. The
authorization request can be made directly to the resource owner
(as shown), or preferably indirectly via the authorization
server as an intermediary.
(B) The client receives an authorization grant, which is a
credential representing the resource owner’s authorization,
expressed using one of four grant types defined in this
specification or using an extension grant type. The
authorization grant type depends on the method used by the
client to request authorization and the types supported by the
authorization server.
(C) The client requests an access token by authenticating with the
authorization server and presenting the authorization grant.
(D) The authorization server authenticates the client and validates
the authorization grant, and if valid, issues an access token.
(E) The client requests the protected resource from the resource
server and authenticates by presenting the access token.
(F) The resource server validates the access token, and if valid,
serves the request.
1. Client receives an authorization grant used by the client to obtain an access token
2. Client requests an access token by authenticating with the authorization server and presenting the authorization grant.
3. Authorization server authenticates the client and validates the authorization grant.
4. Client requests the protected resource from the resource server and authenticates by presenting the access token.
5. Resource server validates the access token, and if valid, serves the request
R. 3,1,5,2,4