OAuth v2 communication between authentication and resource server

authorization web-services oauth oauth-2.0

Solution 1:

The reason this is out of scope for the specification is the wide range of ways to accomplish this connection between the two entities. The main question is how complex is your deployment.

For example, do you have one server managing authentication and access, and a set of discrete services each with its own servers serving the API calls? Or, do you have just one box with one web server which handles both authentication/authorization and the API calls?

In the case of a single box, not much is needed as the entity issuing tokens is the same as the one validating them. You can implement tokens to use a database table key and lookup the record in the database (or memory cache) on every request, or you can encode the scope, user id and other information directly into the token and encrypt it using a symmetric or asymmetric algorithm.

Things get a bit more complex when dealing with a distributed environment, but not by much. You still issue tokens at the authorization server, but the resource server needs a way to validate those. It can do it by making an internal API available to the resource server to ask the authorization server to "resolve" the token (which can be fast in a local environment), or the two can establish a public/private key pair or symmetric secret and use that to encrypt everything the resource server needs into the token.

Self contained tokens are longer but offer much better performance per-request. However, they come with a price - you can't really revoke them while they are still valid (not expired). For this reason, self contained tokens should be very short lived (whatever is acceptable to you to leave access open after it was revoked - e.g. many sites use one hour), with a refresh token good for a year or more to get new tokens.

Solution 2:

One example of resource- to authorization server API is the one at Google Developers Website.
It doesn't specify the format of the access token though, but the response seems pretty universally useful.

Related

Argument of type 'X' is not assignable to parameter of type 'X'
An easy way to get rid of *everything* generated by SBT?
How to detect code duplication during development? [closed]
How to update the bias in neural network backpropagation?
Nginx causes 301 redirect if there's no trailing slash
Display Eclipse tabs on several lines
Authorization approaches and design patterns for Node.js applications [closed]
What is the purpose of Angular animations?
Autowire reference beans into list by type
Execute Shell Script after post build in Jenkins
Encode / decode URLs
How I can get web page's content and save it into the string variable