-
Notifications
You must be signed in to change notification settings - Fork 0
1. The Authorisation Code Grant
The Authorization Code Grant is a crucial part of OAuth 2.0, the open standard for authorization that enables third-party applications to obtain limited access to a web service. In dotnetflix, we use this mechanism for initial user sign-up, before users register for passwordless authentication.
The Authorization Code Grant is designed for applications that can maintain the confidentiality of a client secret, typically a server-side application. The process provides a method for users to grant third-party applications access to their resources, without sharing their credentials (username and password) with the third-party application.
The Authorization Code Grant involves a series of steps:
-
Authorization Request: The client (your application) directs the user to the authorization server (The dotnetflix IdentityServer in this case). This is usually done through a web browser. The request includes the type of grant requested (authorization code), the client ID, the redirection URI (where the response will be sent), and the scope of access requested.
-
User Authentication: The authorization server authenticates the user. This could involve asking the user to sign in with their username and password.
-
Authorization Grant: After successfully authenticating, the user is asked to approve the requested access. If they approve, the authorization server redirects the user back to the client, including an authorization code in the redirect URI.
-
Authorization Code to Access Token: The client now sends a request to the authorization server, including the authorization code and its own credentials. If everything checks out, the authorization server returns an access token (and optionally, a refresh token) to the client.
-
Access to Protected Resources: The client can now use the access token to access the protected resources on behalf of the user.
For the initial sign-up, we still need to have a secure way of authenticating users, and that's where the Authorization Code Grant comes in. It offers a secure method of authenticating users without exposing their credentials to third-party applications.
While passwordless authentication via WebAuthN is preferred, there are practical limitations. For instance, a roaming authenticator like a Yubikey cannot be used on all platforms, especially mobile devices. On the other hand, biometric data, used in platform authenticators, isn't shared outside because if biometric data is breached, you can't reset your fingerprint or face like you can a password. Hence, the Authorization Code Grant provides a robust and secure fallback mechanism.