6. Authenticating with OAuth
OAuth authentication is the process in which Users grant access to their Protected Resources without sharing their credentials with the Consumer. OAuth uses Tokens generated by the Service Provider instead of the User’s credentials in Protected Resources requests. The process uses two Token types:
- Request Token:
- Used by the Consumer to ask the User to authorize access to the Protected Resources. The User-authorized Request Token is exchanged for an Access Token, MUST only be used once, and MUST NOT be used for any other purpose. It is RECOMMENDED that Request Tokens have a limited lifetime.
- Access Token:
- Used by the Consumer to access the Protected Resources on behalf of the User. Access Tokens MAY limit access to certain Protected Resources, and MAY have a limited lifetime. Service Providers SHOULD allow Users to revoke Access Tokens. Only the Access Token SHALL be used to access the Protect Resources.
OAuth Authentication is done in three steps:
- The Consumer obtains an unauthorized Request Token. (Consumerが未認可リクエストトークンを取得する)
- The User authorizes the Request Token. (ユーザーがリクエストトークンを認可する)
- The Consumer exchanges the Request Token for an Access Token. (Consumerがリクエストトークンをアクセストークンに交換する)