oauth 2.0 work flow

http://coding.anyun.tw/2012/03/13/oauth-2/

https://blog.yorkxin.org/posts/2013/09/30/oauth2-1-introduction/

oAuth want to replace traditional user/password flow, more security.

User don’t need to provide his user/password to third party( like small game on FB), when want to play small game, 

will flow oauth work flow to get your permission to get access token to share your data with small game

U:  User (resource owner)

C:  Client (application)

A:  Authorization server

R:  Resource server

1. C register on A, apply clientID & Secret, and also need to set redirect_url
2. when user want to use his resource to do something, through C
3. if not login in,
   1. 1) C set Authorization Request to U
   2. 2) U response Authorization Grant to C
   3. 3) C set Authorization Grant to A
   4. 4) A response Access Token to C
   5. 5) C use Access token to R to get resource
   6. 6) R response Protected Resource to C

some variable:

response_type => code or token, if code, have next phase authorization

                                                      if token, will response token directly

client_id => C register on A

redirect_uri => just for know response to where

scope => set protected what resources

state => any word you want to sent

code => when response_type set code, will append on redirect_uri

client_secret => C register on A

grant_type => for validate code available

access_token => use this to get api

the max different between oAuth1.0a and oAuth 2.0 is scope