Which layer checks for Access Token in an Implicit Grant OAuth 2.0 flow?

 

Context : User is trying to access a website 'A' in browser but,'A' relies upon another web application 'B' (Authentication Server) to authenticate & authorize the user using "Implicit Grant" OAuth 2.0 flow.

Question: When a user access a web page in website 'A' for the 1st time, how does the website 'A' knows that this 1st time request does not have a valid access token and then redirect this request to Website 'B' ?

Does the 'Webserver' of website 'A' makes this check of access token ?

IMPLICIT FLOW SOLUTIONS

This solution is used by web apps where no code executes on the web server - and your Web UI is a Single Page Application - is this definitely the same as your solution?

  • 'Web Site A' will be your client side Javascript UI - users login and then get an access token
  • 'Web Application B' - the authentication server - will be a 3rd party system that issues access tokens to your Javascript UI
  • The API will be your server side code - it receives access tokens from the client side UI, validates the token, then returns data to the UI

    • SERVER SIDE WEB APP SOLUTIONS

    If your solution is different to the above then it sounds like you have a server side web app instead - in this case the Implicit Flow is not the right solution.

    IF YOU DEFINITELY HAVE A SINGLE PAGE APP

    There is a bit of a learning curve to using OAuth 2.0 and Open Id Connect with Single Page Apps. I would recommend the excellent OIDC Client Library which will do a lot of work for you.

    Out of interest I've written a detailed blog + code samples around OAuth 2.0 solutions, including SPAs. I hope you can just browse it to improve your understanding - maybe start with This Overview.

    The JavaScript application "website A" probably keeps the access token and its expiration time somewhere - for example in the session storage. So on load, the application can check the presence of an access token and its expiration time. The expiration time is delivered along with the token in a redirect URL ( expires_in parameter) from the auth provider.

    链接地址: http://www.djcxy.com/p/47992.html

    上一篇: GWT和OAuth隐式授权(仅限客户端)

    下一篇: 哪一层检查隐式授权OAuth 2.0流中的访问令牌?