I’ve been reading a lot on OAuth2 trying to get my head around it, but I’m still confused about something.
I understand that the client authorises with the OAuth provider (Google for example) and allows the Resource Server to have access to the user’s profile data. Then the client can send the access token to the resource server and be given back the resource.
But what does not seem to be covered in any of the documentation is what happens when the client app asks the resource server for a resource and passes it the access token. Everything I have read so far states that the resource server just responds with the requested resource.
But that seems like a huge hole, surely the resource server must somehow validate the access token, otherwise I could just fake up any old request and pass an old, stolen, fake, or randomly generated token and it would just accept it.
Can anyone point me at a simple to follow explanation of OAuth2 because so far the ones I have read feel incomplete.
Found it. Buried in the spec. They say the resource server should validate the access token with the auth server but that it’s outside the scope of the document. Pity, I would have thought that token validation was an important part.
3
Token validation is generally handled in 1 of 2 ways.
-
The token is cryptographically signed using pre shared keys. This has obvious short comings for use in distributed, proliferating systems.
-
The Authorization Server (AS) provides an endpoint for token validation or Introspection. This method was standardized in IETF RFC 7662 in October 2015, see: https://www.rfc-editor.org/rfc/rfc7662
This Stack Overflow Question / Answer includes examples from Google and Github: https://stackoverflow.com/questions/12296017/how-to-validate-an-oauth-2-0-access-token-for-a-resource-server
you read spec for how to validate the token:
https://www.rfc-editor.org/rfc/rfc7662
hope this helps – pls mark it answer if it answers your query/problem
1