Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>The <code>access_token</code> is what you need to call a protected resource (an API). In the Authorization Code flow there are 2 steps to get it:</p> <ol> <li>User must authenticate and returns a <code>code</code> to the API consumer (called the "Client").</li> <li>The "client" of the API (usually your web server) exchanges the <code>code</code> obtained in #1 for an <code>access_token</code>, authenticating itself with a <code>client_id</code> and <code>client_secret</code></li> <li>It then can call the API with the <code>access_token</code>.</li> </ol> <p>So, there's a double check: the user that owns the resources surfaced through an API and the client using the API (e.g. a web app). Both are validated for access to be granted. Notice the "authorization" nature of OAuth here: user grants access to his resource (through the <code>code</code> returned after authentication) to an app, the app get's an <code>access_token</code>, and calls on the user's behalf.</p> <p>In the implicit flow, step 2 is omitted. So after user authentication, an <code>access_token</code> is returned directly, that you can use to access the resource. The API doesn't know who is calling that API. Anyone with the <code>access_token</code> can, whereas in the previous example only the web app would (it's internals not normally accessible to anyone).</p> <p>The implicit flow is usually used in scenarios where storing <code>client id</code> and <code>client secret</code> is not recommended (a device for example, although many do it anyway). That's what the the disclaimer means. People have access to the client code and therefore could get the credentials and pretend to become resource clients. In the implicit flow all data is volatile and there's nothing stored in the app.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload