Index

A

• access token
  • about / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant, Refresher on access tokens
  • versus bearer token / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
  • obtaining / Step 2 – Get your access token
  • defining / A closer look at access tokens, An access token is an access token
  • scope / Scope
  • access duration / Duration of access
  • token revocation / Token revocation
  • using / Step 3 – Use your access token
  • refreshing / Step 4 – Refresh your access token
  • used, for creating API call / Use your access token to make an API call
  • authorization request header field, defining / The authorization request header field
  • form-encoded body parameter, using / The form-encoded body parameter
  • URI query parameter, using / The URI query parameter
• access token request
  • about / Access token request
  • according, to specification / According to the specification
  • in application / In our application
  • making / Make the access token request
  • defining / Access token request
• access token response
  • defining / Access token response, Access token response
  • success / Success, Success, Success
  • parameters / Success, Access token response
  • error / Error, Error, Error
  • handling / Handle the access token response, Handle the access token response
  • properties / Access token response
  • about / Access token response, The access token response
• Apache Maven
  • defining / Build the base application
  • URL / Install Apache Maven, Install Apache Maven
  • installing / Install Apache Maven
• API call
  • creating, access token used / Use your access token to make an API call
• API call flow
  • about / The API call flow
  • authorization request header field / The authorization request header field
  • authorization request header field, troubleshooting / Common issues
  • common issues, with authorization request header field / Common issues
  • form-encoded body parameter / The form-encoded body parameter
  • form-encoded body parameter, troubleshooting / Common issues
  • common issues, with form-encoded body parameter / Common issues
  • URI query parameter, using / The URI query parameter
• application
  • registering, with Facebook / Registering your application with Facebook
  • creating / Creating your application
  • redirection endpoint, setting / Setting your redirection endpoint
  • service providers authorization, finding / Find your service provider's authorization and token endpoints
  • token endpoints, finding / Find your service provider's authorization and token endpoints
• auth endpoint
  • URL / Putting it all together!
• authentication
  • versus authorization / Authentication versus authorization
  • about / Authentication
• authorization
  • versus authentication / Authentication versus authorization
  • about / Authorization
  • performing, via mobile application / Authorization via application instead of user-agent
• authorization code
  • about / A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
• authorization code grant flow
  • about / Refresher on the authorization code grant flow, A closer look at the authorization code grant flow, The authorization code grant flow
  • authorization request / Authorization request, The authorization request
  • authorization response / Authorization response
  • access token request / Access token request, The access token request
  • access token response / Access token response
  • authorization request, troubleshooting / Common issues
  • common issues, with authorization request / Common issues
  • access token request, troubleshooting / Common issues
  • common issues, with access token request / Common issues
• authorization endpoint
  • URL / Different service providers, different registration process, same OAuth 2.0 protocol
• authorization request
  • defining / Authorization request
  • defining, according to specification / According to the specification
  • parameters / According to the specification
  • defining, in application / In our application
  • creating / Make the authorization request
  • example / Authorization request
  • about / Authorization request
  • according, to specification / According to the specification
  • in application / In our application
  • making / Make the authorization request
• authorization request and response
  • defining / Authorization request and response
• authorization response
  • about / Authorization response
  • success / Success
  • error / Error
  • handling / Handle the authorization response
• auth process
  • pros / Comparison between the two methods
  • cons / Comparison between the two methods

B

• base application
  • building / Build the base application, Build the base application
  • Apache Maven, installing / Install Apache Maven
  • project, creating / Create the project, Create the project
  • base project, configuring / Configure base project to fit our application
  • hosts file, modifying / Modify the hosts file, Modify the hosts file
  • running / Running it for the first time, Running it for the first time
• base project
  • configuring / Configure the base project to fit our application
• bearer token
  • versus access token / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
• best practices, security
  • TLS, using / Use TLS!
  • minimal scopes, requesting / Request minimal scopes
  • implicit grant flow, using / When using the implicit grant flow, request read-only permissions
  • read-only permissions, requesting / When using the implicit grant flow, request read-only permissions
  • credentials and tokens, maintaining out of reach of users / Keep credentials and tokens out of reach of users
  • authorization code grant flow, using / Use the authorization code grant flow whenever possible
  • refresh token, using / Use the refresh token whenever possible
  • native browsers, using instead of embedded browsers / Use native browsers instead of embedded browsers
  • third-party scripts, avoiding in redirection endpoint / Do not use third-party scripts in the redirection endpoint
  • client credentials, rotating / Rotate your client credentials

C

• client-side application
  • API call, creating / In our client-side application
  • URI query parameter, using / Send via the URI query parameter
  • form-encoded body parameter, using / Send via the form-encoded body parameter
  • GitHub, URL / Send via the form-encoded body parameter
• client-side flow
  • defining / First look at the client-side flow
  • untrusted client / An untrusted client – GoodApp requests access for user's Facebook friends using implicit grant
  • implicit grant type, using / The big picture
• client application
  • registering / Step 1 – Register your client application
  • different service providers / Different service providers, different registration process, same OAuth 2.0 protocol
  • different registration process / Different service providers, different registration process, same OAuth 2.0 protocol
  • same OAuth 2.0 protocol / Different service providers, different registration process, same OAuth 2.0 protocol
  • client credentials / Your client credentials
• client credentials
  • about / Your client credentials
• client credentials grant
  • using / When should you use it?
  • reference / Reference pages
  • defining / Overview of the client credentials grant
• common attacks
  • about / Common attacks
  • Cross-site request forgery (CSRF) / Cross-site request forgery (CSRF)
  • phishing / Phishing
  • redirection URI manipulation / Redirection URI manipulation
  • client and user impersonation / Client and user impersonation
• Cross-site request forgery (CSRF)
  • about / Cross-site request forgery (CSRF)
  • state param used, for combating / Use the state param to combat CSRF
• cURL
  • about / Tools
• custom grant types
  • about / Custom grant types
  • authorization code grant / Custom grant types
  • implicit grant / Custom grant types

D

• delegated authority / What problems does it solve?, Delegated authority

E

• embedded browser
  • versus native browser / Use native browsers instead of embedded browsers
• error, access token response
  • parameters / Error
• error response
  • parameters / Error response
  • defining / Error response
  • properties / Error response
• expired refresh token
  • defining / Refresh tokens expire too, What if I have no refresh token? Or my refresh token has expired?
• extensions, OAuth 2.0 framework
  • custom grant types / Custom grant types
  • token types / A variety of token types
  • authorization backend / Any authorization backend

F

• Facebook
  • references / Find your service provider's authorization and token endpoints
• Facebook App Settings page
  • reference link / Make the authorization request
• Facebook Developers page
  • URL / Registering your application with Facebook
• Facebook Graph API
  • about / Let's build it!
  • URL / Let's build it!
• federated identity / What problems does it solve?, Federated identity

G

• GoodApp
  • working / How does it work?
  • user consent / User consent
  • workflows, defining for clients / Two main flows for two main types of client
  • trusted, versus untrusted clients / Trusted versus untrusted clients
• GoodApp application
  • defining / Let's get started

H

• hybrid architecture
  • about / Hybrid architectures
  • implicit grant flow, for mobile app / Implicit for mobile app, authorization code grant for backend server
  • authorization code grant, for backend server / Implicit for mobile app, authorization code grant for backend server
  • benefit / What is the benefit of this?

I

• implicit grant flow
  • defining / Refresher on the implicit grant flow, A closer look at the implicit grant flow
  • authorization request / Authorization request, The authorization request
  • access token response / Access token response
  • about / The implicit grant flow
  • common issues, with authorization request / Common issues
  • authorization request, troubleshooting / Common issues
• implicit grant type
  • using / When should this be used?
• infographic
  • creating / Creating the world's most interesting infographic
  • URL / Creating the world's most interesting infographic
• installation, Apache Maven / Install Apache Maven

J

• jQuery library
  • URL / Do not use third-party scripts in the redirection endpoint
• JSON Web Tokens (JWTs)
  • about / JSON Web Token (JWT)

M

• mobile
  • defining / Trusted versus untrusted clients, What about mobile?, What is a redirection endpoint?
• mobile application
  • about / What is a mobile application?
  • flow type, deciding / What flow should we use for mobile applications?
  • considerations / Are mobile applications trusted or untrusted?
  • with secure storage APIs, on mobile platforms / What about mobile applications built on top of mobile platforms with secure storage APIs?
  • security considerations / Not quite enough
  • authorization, performing via / Authorization via application instead of user-agent

N

• native browser
  • versus embedded browser / Use native browsers instead of embedded browsers

O

• OAuth 2.0
  • using / What problems does it solve?, Who uses OAuth 2.0?
  • federated identity / Federated identity
  • delegated authority / Delegated authority
  • examples, defining / Real-life examples of OAuth 2.0 in action
  • used, for solving problem / How does OAuth 2.0 actually solve the problem?
  • authorization framework / Two main flows for two main types of client, Trusted versus untrusted clients
  • trusted / Trusted versus untrusted clients
  • untrusted / Trusted versus untrusted clients
  • defining / Let's get started
• OAuth 2.0 framework
  • extensions / Extensions to the OAuth 2.0 framework
• OAuth 2.0 protocol
  • reference specifications / Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants, OpenID Connect Core 1.0
• OpenID Connect
  • about / OpenID Connect
  • using / OpenID Connect
  • URL / OpenID Connect

P

• perpetual tokens
  • about / Duration of access
• phishing / Phishing
• problem solving
  • without OAuth 2.0 / Without OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
  • with OAuth 2.0 / With OAuth 2.0 – GoodApp wants to suggest contacts by looking at your Facebook friends
• project object model (POM)
  • about / Build the base application

R

• redirection endpoint
  • URL / Different service providers, different registration process, same OAuth 2.0 protocol, Make the authorization request
  • defining / What is a redirection endpoint?
  • references / What is a redirection endpoint?, Putting it all together!
• reference pages
  • defining / Reference pages, Reference pages
  • implicit grant flow / Overview of the implicit grant flow
  • access token response / Access token response, Access token response
  • error response / Error response, Error response
  • refresh token flow / An overview of the refresh token flow
  • refresh request / The refresh request
• refresh request
  • about / The refresh request
  • specification, defining / According to the specification
  • parameters / The refresh request
• refresh token
  • defining / Sometimes a refresh token
  • about / Sometimes a refresh token
  • incapability / What if I don't have a refresh token?
• refresh token flow
  • defining / A closer look at the refresh token flow
  • refresh request / The refresh request
  • access token response / The access token response
  • versus auth process / Comparison between the two methods
  • pros / Comparison between the two methods
  • cons / Comparison between the two methods
  • about / The refresh token flow
  • troubleshooting / Common issues
  • common issues / Common issues
• registration process
  • defining / Recap of registration process
• resource owner password credentials grant
  • usage / When should you use it?
  • reference / Reference pages
  • overview / An overview of the resource owner password credentials grant
  • authorization request / Authorization request and response
  • authorization response / Authorization request and response
  • access token request, defining / Access token request
  • access token response, defining / Access token response
  • error response / Error response

S

• sample application
  • building / Let's build it!
• scope and duration of access
  • about / A closer look at access tokens
• security
  • defining / What's at stake?
  • best practices / Security best practices
• Security Assertion Markup Language (SAML) 2.0
  • about / Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
• server-side application
  • API call, creating / In our server-side application
  • URI query parameter, using / Send via the URI query parameter
  • HTTP authorization header, using / Send via the HTTP authorization header
  • GitHub, URL / Send via the HTTP authorization header
• server-side flow
  • defining / First look at the server-side flow
  • trusted client / A trusted client – GoodApp requests access for user's Facebook friends using authorization code grant
  • workflow, defining / The big picture
  • using / When should this be used?
• server-side workflow
  • and client-side workflow, comparing / What are the differences?
• SSO (Single Sign On)
  • about / Make the authorization request

T

• token endpoint
  • URL / Different service providers, different registration process, same OAuth 2.0 protocol, Putting it all together!
• token revocation
  • about / Token revocation
• token types
  • about / A variety of token types
  • JSON Web Tokens (JWT) / A variety of token types
  • SAML assertions / A variety of token types
• tools
  • using / Tools
• troubleshooting
  • about / Troubleshooting
  • implicit grant flow / The implicit grant flow
  • authorization code grant flow / The authorization code grant flow
  • API call flow / The API call flow
  • refresh token flow / The refresh token flow
• trust
  • about / Two main flows for two main types of client
• trusted client
  • about / Trusted versus untrusted clients
  • advantages / Pros
  • disadvantages / Cons

U

• untrusted client
  • about / Trusted versus untrusted clients, Pros and cons of being an untrusted client
  • advantages / Pros
  • disadvantages / Cons
• user consent
  • about / How does it work?
  / User consent

W

• WMIIG
  • URL / Running it for the first time
• WMIIG (World's Most Interesting Infographic Generator)
  • about / Refresher on the implicit grant flow
  / Refresher on the authorization code grant flow
• workflow
  • defining / The ideal workflow
• World's Most Interesting Infographic Generator
  • about / Introducing "The World's Most Interesting Infographic Generator"
  • URL / Introducing "The World's Most Interesting Infographic Generator"