I have a new SPA with a stateless authentication model using JWT. I am often asked to refer OAuth for authentication flows like asking me to send ‘Bearer tokens’ for every request instead of a simple token header but I do think that OAuth is a lot more complex than a simple JWT based authentication. … Read more
As I understand it, the following chain of events occurs in OAuth 2 in order for Site-A to access User’s information from Site-B. Site-A registers on Site-B, and obtains a Secret and an ID. When User tells Site-A to access Site-B, User is sent to Site-B where they tell Site-B that they would indeed like … Read more
In very simple terms, can someone explain the difference between OAuth 2 and OAuth 1? Is OAuth 1 obsolete now? Should we be implementing OAuth 2? I don’t see many implementations of OAuth 2; most are still using OAuth 1, which makes me doubt OAuth 2 is ready to use. Is it? 10 s 10 … Read more
Section 4.2 of the draft OAuth 2.0 protocol indicates that an authorization server can return both an access_token (which is used to authenticate oneself with a resource) as well as a refresh_token, which is used purely to create a new access_token: https://www.rfc-editor.org/rfc/rfc6749#section-4.2 Why have both? Why not just make the access_token last as long as … Read more
