34👍
You’ll get answer to all your questions once you read about Oauth2 Protocol from here
But I’ll try to answer your questions in brief:
I’ll be using the words client
and Resource Server
frequently. In Oauth2
protocol, client
means the system which accesses resources, data or service. (It could be your mobile app or javascript app consuming REST API’s of your API Backend (or Resource Server
) . If you have implemented Facebook login in your mobile/JS apps, chances are, your API backend requests Facebook for user’s information. In that case your API backend is being a client
and Facebook is Resource Server
)
Client Types:
Client type is either confidential
or public
depending on whether that client can keep it’s client_secret
a secret. (For example, an AngularJS
app cannot keep it’s client_secret
hidden, since anyone can do "Inspect Element" in a browser and search for it, so such a client
has to be registered as public
.)
Authorization Grant Types:
There are four kinds of Authorization Grant Types
in Oauth2
protocol.
-
Authorization Code:
In this grant type, the
client
requests for anauthorization code
first, then exchanges thatauthorization code
for anaccess token
. It’s a two step procedure. Use this if theclient
is an outsider (more on it inResource-owner password based
). -
Implicit:
Usually used along with
public
client_type
. Instead of a two-step procedure above, theclient
getsaccess token
in one go. -
Resource-owner password based:
This is used when there is a high degree of trust between
client
andResource Server
. This is the case between your API backend and your Mobile app. (There is high degree of trust between your API backend andJavascript
app too, but since it cannot keep it’sclient_secret
a secret, you have to useImplicit
Grant type with it).Facebook
orGoogle
etc. will never give you this kind ofAuthorization Grant
because, for them, your API backend is an outsider. -
Client Credentials:
It is least commonly used. Please read about it in above mentioned document.
Redirect URI’s:
Now, as far as Redirect URI's
are concerned, they are needed only in Authorization Code
or Implicit
grant types (Not sure about Client Credentials
one, somebody please enlighten me on this in comments).
Redirect URI is given so that the Resource Server
knows where to send the access token
. Imagine if you are implementing Facebook login. In that case you will go to developers.facebook.com
and register your application (like you did with django-oauth-toolkit
), while registering your application, you will specify a Redirect URI
.
Specifying a Redirect URI
is a way of saying. "Hey Facebook, send the access token on this URI". So if you set Redirect URI
something like https://your_domain_name.com/token/facebook/, Facebook
will redirect to your specified Redirect URI
at the end of Oauth2 process and give Access Token
in the form of GET
parameter, like https://your_domain_name.com/token/facebook/?token=some_long_string&some=other_parameters.