oauth tutorial - OAuth User Agent - oauth2 tutorial - oauth authentication
What is User Agent in OAuth 2.0?
- The user agent application is used by the client application acts as the scripting language such as JavaScript which is running in a browser.
- The user agent application is used for instance where JavaScript application is running in a browser.
- A user agent application may be stored on a web server, but the application is only running in the user agent once it is downloaded.
- We can store the user agent application which is done on the web server.
- The following diagram shows the architecture of the public client user agent application.
learn oauth tutorial - oauth user agent - oauth example
Description of the example
- First, the user accesses the resources of the resource owner by using authenticating application such as Google, Facebook, Twitter, etc.
- Then, the resource owner provides the client Id and client password to log on to the public client user agent application.
- Then, the public client user agent application provides an instance of a JavaScript application running in a browser and links to the web hosting client.
- The authorization server allows access to the resources from the resource server using the client credentials.
- The resource server contains the resources, which are owned by the resource owner.
- The web hosting client is used by public client application that resides on the computer.
- It’s also used by public client apps running in a browser using a scripting language such as JavaScript.
- These public client apps can protect user secrets and apps are widely distributed and also the client secret can’t be confidential.
- The resource server uses the username-password authentication flow to authenticate when the customer already has the user’s credentials.
learn oauth tutorial - oauth user agent application and salesforce - oauth example
- In this diagram, the user’s credentials are used by the application to request an access token
- The application uses the user username and password to request an access token.
- This is done through an out-of-band POST request to the appropriate Salesforce token request endpoint,
- Salesforce verifies the user credentials, and if it is successful, it sends a response to the application with the access token.
- The application uses the provided access token to access protected user data which is given
- The Web server authentication flow and user-agent flow provide a refresh token which can be used to obtain new access token.
- Access tokens have a limited lifetime which is specified by the session timeout in Salesforce.
- If the application uses an expired access token, a “Session expired or invalid” error is returned.
- If the application is using the Web server or user-agent authentication flows, a refresh token is provided during the authorization which can be used to get a new access token.