Stack Overflow
Stack Overflow

Questions tagged [oauth-2.0]

OAuth (Open Authorization) is an open protocol framework to allow secure API authorization in a simple and standardized way for desktop, mobile and web applications. OAuth 2.0 is the second version of the OAuth protocol.

OAuth (Open Authorization) is an open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

OAuth 2.0 is the second version of the OAuth protocol.

###Popular services that support OAuth 2

###References

###Official Logo: oauth 2 logo

23805 questions
823
votes
21 answers

Why Does OAuth v2 Have Both Access and Refresh Tokens?

Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new…
dave mankoff
  • 17,379
  • 7
  • 50
  • 64
664
votes
10 answers

How is OAuth 2 different from OAuth 1?

In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1? Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don't see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2…
sullivan
  • 6,693
  • 3
  • 15
  • 8
607
votes
47 answers

Google OAuth 2 authorization - Error: redirect_uri_mismatch

On the website https://code.google.com/apis/console I have registered my application, set up generated Client ID: and Client Secret to my app and tried to log in with Google. Unfortunately, I got the error message: Error: redirect_uri_mismatch The…
user984621
  • 46,344
  • 73
  • 224
  • 412
587
votes
10 answers

How does OAuth 2 protect against things like replay attacks using the Security Token?

As I understand it, the following chain of events occurs in OAuth 2 in order for Site-A to access User's information from Site-B. Site-A registers on Site-B, and obtains a Secret and an ID. When User tells Site-A to access Site-B, User is sent to…
William Jones
  • 18,089
  • 17
  • 63
  • 98
583
votes
9 answers

What are the main differences between JWT and OAuth authentication?

I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send 'Bearer tokens' for every request instead of a simple token header but I do think that OAuth is a lot…
Venkatesh Laguduva
  • 13,448
  • 6
  • 33
  • 45
353
votes
8 answers

Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?

With the "Implicit" flow the client (likely a browser) will get a access token, after the Resource Owner (i.e. the user) gave access. With the "Authorization Code" flow however, the client (usually a web server) will only get an authorization code…
Aron Woost
  • 19,268
  • 13
  • 43
  • 51
295
votes
5 answers

JWT refresh token flow

I'm building a mobile app and am using JWT for authentication. It seems like the best way to do this is to pair the JWT access token with a refresh token so that I can expire the access token as frequently as I want. What does a refresh token look…
jtmarmon
  • 5,727
  • 7
  • 28
  • 45
293
votes
3 answers

OAuth 2.0: Benefits and use cases — why?

Could anyone explain what's good about OAuth2 and why we should implement it? I ask because I'm a bit confused about it — here's my current thoughts: OAuth1 (more precisely HMAC) requests seem logical, easy to understand, easy to develop and really,…
tonyhb
  • 3,706
  • 3
  • 20
  • 16
288
votes
13 answers

What is the purpose of the implicit grant authorization type in OAuth 2?

I don't know if I just have some kind of blind spot or what, but I've read the OAuth 2 spec many times over and perused the mailing list archives, and I have yet to find a good explanation of why the Implicit Grant flow for obtaining access tokens…
Dan Taflin
  • 2,883
  • 3
  • 14
  • 5
264
votes
11 answers

What is the purpose of a "Refresh Token"?

I have a program that integrates with the YouTube Live Streaming API. It runs on timers, so its been relatively easy for me to program in to fetch a new Access Token every 50 minutes with a Refresh Token. My question is, why? When I authenticated…
Jason Axelrod
  • 7,155
  • 10
  • 50
  • 78
222
votes
5 answers

Why do access tokens expire?

I am just getting started working with Google API and OAuth2. When the client authorizes my app I am given a "refresh token" and a short lived "access token". Now every time the access token expires, I can POST my refresh token to Google and they…
levi
  • 23,693
  • 18
  • 59
  • 73
218
votes
11 answers

Refreshing OAuth token using Retrofit without modifying all calls

We are using Retrofit in our Android app, to communicate with an OAuth2 secured server. Everything works great, we use the RequestInterceptor to include the access token with each call. However there will be times, when the access token will expire,…
Daniel Zolnai
  • 16,487
  • 7
  • 59
  • 71
216
votes
5 answers

Using an authorization header with Fetch in React Native

I'm trying to use fetch in React Native to grab information from the Product Hunt API. I've obtained the proper Access Token and have saved it to State, but don't seem to be able to pass it along within the Authorization header for a GET…
Richard Kho
  • 5,086
  • 4
  • 21
  • 35
205
votes
9 answers

What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?

OAuth 2.0 has multiple workflows. I have a few questions regarding the two. Authorization code flow - User logs in from client app, authorization server returns an authorization code to the app. The app then exchanges the authorization code for…
divyanshm
  • 6,600
  • 7
  • 43
  • 72
204
votes
6 answers

How to validate an OAuth 2.0 access token for a resource server?

When a client asks a resource server to get a protected resource with an OAuth 2.0 access token, how does this server validate the token? The OAuth 2.0 refresh token protocol?
Ack
  • 2,233
  • 3
  • 16
  • 17
1
2 3
99 100