Using OAuth for Authorization

Learn about generating tokens and changing their permissions with the OAuth protocol.

OAuth (Open Authorization) is an open standard protocol that allows third-party applications to access resources on behalf of a user without exposing the user's credentials. It's commonly used to enable secure authorization and access control for APIs, web services, and other protected resources. OAuth provides a way for users to grant permissions to applications to access specific resources while keeping their credentials safe.

The main goal of OAuth is to enable delegated access to resources, where a user can grant permission to an application to access certain resources on their behalf without sharing their username and password with the application.

While OIDC is responsible for the authentication flow, OAuth is the protocol responsible for authorization. Both protocols go hand-in-hand and are typically used together. In this lesson, we will go through the basics of OAuth with the help of a custom IdP application, which is presented in the following playground:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}
OpenID Connect with OAuth components

OAuth is responsible for the structure of the access token that is issued once the authentication flow is completed. It's also responsible for other things, such as introspection and revocation of an access token. The above application demonstrates some examples of both.

Generating access and refresh tokens

Let's have a look at how an access and refresh token is generated. Both are generated by the ...