Posts tagged 'oauth'

  • What happens to the tokens after an OAuth Authorization Code grant?

    At the end of the OAuth Authorization Code grant, after a user presents their credentials at login, a code is returned which can be exchanged for one or more tokens at the token endpoint.

    These tokens include an access token, an optional refresh token, and an optional id token. The access token is used to get access to different APIs and protected resources. The refresh token lets you mint new access tokens, and the id token is used by the client to display information about the user.

    READ MORE
  • Is the OAuth Device grant right for your game authentication needs?

    The OAuth device authorization grant is an extension of OAuth 2.0. Because OAuth is an authorization protocol, it enables users to gain access to an application or device by allowing it to use account information from another application or device.

    READ MORE
  • Why is there no authentication in OAuth?

    OAuth, a standard for securely delegating authorization information, and OIDC, a profile written on top of it to securely transmit user profile data, both rely heavily on authentication of the user (also known as the ‘resource owner’) at the authorization server. The authorization server issues tokens only after the user has been authenticated to its satisfaction.

    However, there is next to no guidance about how to actually authenticate the user. Should I use a username and password? A magic link? Delegate to a third party? Require a TOTP code?

    This question came up in a discussion amongst the FusionAuth team and I thought it was worth digging into a bit more.

    Why exactly is ‘authentication’ undefined in OAuth/OIDC?

    READ MORE
  • How to Set Up Single Sign-On Between FusionAuth and WordPress

    User authentication is one of the most important parts of building any application, and almost every application features some sort of authentication. However, it quickly gets difficult to manage authentication when you have multiple related but independent applications to maintain.

    READ MORE
  • CurrentDesk saved thousands of dollars by choosing FusionAuth

    Brittany Roddy is a FusionAuth community member and lead software engineer and architect at CurrentDesk. She chatted with us over email about how she and her team are using FusionAuth to meet their auth needs.

    READ MORE
  • Why use a standardized auth protocol?

    Software applications regularly need to gain access to data from other services on behalf of their users. An application may need to grab a list of user’s contacts from a third-party service, such as their Google contacts. Or it might need to access a user’s calendar so the application can create calendar entries for the user. Larger organizations often require employees to have passwordless access to all the applications and services needed to do their jobs.

    READ MORE
  • What's Wrong With the OAuth2 Implicit Grant?

    The Implicit grant is part of the OAuth 2 RFC, but is one of the features omitted in the OAuth 2.1 specification. With this grant, you don’t have to write server side code. Instead of having to exchange an authorization code for an access token, you are provided an access token on redirect.

    READ MORE
  • GNAP, the next generation of OAuth

    The Grant Negotiation and Authorization Protocol, also known as GNAP, is currently being formulated in an IETF working group. This protocol will not be backward compatible with OAuth2. However, since it is a new major auth standard and is currently in development, you should give it some attention.

    READ MORE
  • How to securely implement OAuth in Ruby on Rails

    In this tutorial, we will walk through setting up a basic Ruby on Rails app to securely authenticate with an OAuth2 server using the authorization code grant.

    READ MORE
  • What's new in OAuth 2.1?

    Hey look! OAuth is getting spiffed up a bit. The original OAuth 2.0 specification was released in October 2012 as RFC 6749. It replaced OAuth 1.0, released in April 2010. There have been some extensions over the years. A new OAuth specification has been proposed and is currently under discussion. As of this blog post’s writing, the specification was most recently updated on March 8, 2020. If approved, OAuth 2.1 will obsolete certain parts of Oauth 2.0 and mandate additional security best practices. The rest of the OAuth 2.0 specification will be retained.

    READ MORE