Skip to main content

Overview

For a more thorough understanding of the OAuth authorization flow, please refer to the specification. A very incomplete overview of the OAuth authorization flow can be found in the following diagram.

The above diagram describes the following steps:

  1. Sending an Authorization Request to the Resource Owner
  2. Receiving an Authorization Code in response to the Authentication Request.
  3. Sending an Authorization Code to the Resource Owner.
  4. Receiving an Access Token and Refresh Token in response to the Authorization Code.
  5. Using the Access Token to make requests for Protected Resources to a Resource Server.
  6. Receiving the Protected Resource in response to the previous request.
  7. Trying to use an expired Access Token to make requests for Protected Resources to a Resource Service.
  8. Receiving an Invalid Token error in response to the request for Protected Resources.
  9. Exchanging the Refresh Token for a new Access Token with the Resource Owner.
  10. Receiving a new Access Token and Refresh Token in response to the exchange.

After Step 10. the OAuth Client can then continue to access resources on the Resource Server.

The authorization process requires valid Client Credentials: a Client ID and sometimes a Client Secret. Read more about OAuth Clients to learn about generating and using these credentials.

Access to the protected resources is determined by one of more Scopes. The flow for authorization follows:

  1. The OAuth Client will specify the Scopes they require during authorization.
  2. Users will confirm they wish to give the target OAuth Client access to those Scopes on their behalf.
  3. The returned Access Token will have requested Scopes embedded.
  4. Resource Services will then verify the required Scopes are present in the Access Token before allowing access to protected resources.

You can read more about IMS Permissions and Scopes in the IMS Permissions and Scopes guide.

Once authorization is granted, the Resource Owner issues an Access Token and, optionally, a Refresh Token which is used to make API calls on behalf of the user.