View reading-notes on GitHub

Reading notes for class 7 of 401

Bearer Authorization

Write the following steps in the correct order:
  • Register your application to get a client_id and client_secret
  • Ask the client if they want to sign in via a third party
  • Make a request to a third-party API endpoint
  • Receive access token
  • Receive authorization code
  • Make a request to the access token endpoint
  • Redirect to a third party authentication endpoint
What can you do with an authorization code?

Used as an entry point or for a transaction which has restrictions

What can you do with an access token?

Allows an application to access an API

What’s a benefit of using OAuth instead of your own basic authentication?

OAuth is considered more secure. And more widely used

Vocab

Client ID

  • The Client ID (cid) is a unique identifier for a browser–device pair that helps Google Analytics link user actions on a site.

Client Secret

  • A client secret is a secret known only to your application and the authorization server. It protects your resources by only granting tokens to authorized requestors. Protect your client secrets and never include them in mobile or browser-based apps.

Authentication Endpoint

  • A security mechanism designed to ensure that only authorized devices can connect to a given network, site or service.

Access Token Endpoint

  • The token endpoint is where apps make a request to get an access token for a user. This section describes how to verify token requests and how to return the appropriate response and errors. Authorization Code. Password Grant. Client Credentials.

API Endpoint

  • An API endpoint is a point at which an API – the code that allows two software programs to communicate with each other – connects with the software program.

Authorization Code

  • An authorization code is an alphanumeric password that authorizes its user to purchase, sell or transfer items, or to enter information into a security-protected space.

Access Token

  • An access token is a tiny piece of code that contains a large amount of data. Information about the user, permissions, groups, and timeframes is embedded within one token that passes from a server to a user’s device.