Gobliins Gobliins - 4 months ago 12
reST (reStructuredText) Question

OAuth 2.0 - first step details, can someone clarify?

In lots of descriptions the first step is that user tries to acces a resource on server something like

https://fhirblog.files.wordpress.com/2014/06/oauth2sequencediagram.png

Now i got a Rest API with severel endpoints:

GET /server/resource1
DELETE /server/resource1/{uuid}
GET /server/resource2
...


implementation looks something like this:

@DELETE
public Response deleteResource(
@ApiParam(value = "The id", required=true)
@PathParam("uuid") String uuid,
@Context SecurityContext securityContext)
throws NotFoundException {


Until now i have implemented an apikey which is passed by header into the api and a filter that verifies teh apikey.

Now i want to implement a full (three/two legged) oauth 2.0 flow. But i am now wondering about the first step.

So Question is:

Do i have to add a mechanism on each endpoint that verifies if the request has a token? and if not redirect the request to an auth endpoint?

(Also
Can i send the Tokens in the HttpHeader or do the Tokens have to be in the Body of the Request?)

Or:
Do i have to create just one endpoint that does the token stuff and in my other resource endpoints i only verify if the token is valid?

Answer

Okay here are the explanations,

Do i have to add a mechanism on each endpoint that verifies if the request has a token? and if not redirect the request to an auth endpoint?

This question has two parts, so i will explain it separately for better understanding,

  • Do i have to add a mechanism on each endpoint that verifies if the request has a token?

    Yes, in general the endpoints would be an APIs, so you need to setup middleware or interceptor or filters, to check to see does this endpoint need authorization if so check access token, if valid then proceed with request, if not return 401 Unauthorized as Http response, for example:

    All request to /server/* must be accessed with access token, then you need to setup filter for those paths and check the access token,

  • if not redirect the request to an auth endpoint?

    No, if access token is not provided or invalid or expired any case, you need to return Unauthorized http response like below,

    Status Code:401

    {"ok":false,"errors":[{"code":"unauthorized_request","message":"unauthroized request, access token either invalid / expired"}]}

    here its json response, but any format works

So while the client make http request to access the endpoint, they need to pass the access token in HTTP Header like below,

Authorization: Bearer {access_token}

Do i have to create just one endpoint that does the token stuff and in my other resource endpoints i only verify if the token is valid?

Yes, you need to create an endpoint like /auth (typically called Auth Endpoints) to handle the authentication process, code exchange, refresh, revocation etc.

Then all other resource endpoints should just check token and process the request, and these endpoints wont take part in token management process