I am doing an in-depth study of Spring OAuth, and I found some conflicting information. Can someone please clarify?
Specifically, this tutorial states that the /oauth/token
endpoint handles the username and password before granting a refresh token to the client app. By contrast, the Spring OAuth Developer Guide mentions the /oauth/authorize
and /oauth/token
endpoints, but yet does not get specific about how they work.
Does the /oauth/authorize
do 100% of the username/password/nOtherFactors
check and then signal the /oauth/token
endpoint to send a refresh token to the client, so that the client then sends the refresh token to the /oauth/token
endpoint?
Or is all of it handled by the /oauth/token
endpoint?
Is the relationship between /oauth/authorize
and /oauth/token
different for different grant types? How?
Per the OAuth 2.0 specification the authorize and token endpoints have different purposes.
Authorization endpoint is where the resource owner (user) logs in and grants authorization to the client (ex: web application running in the browser or an app running on a mobile device). This is typically used in scenarios where the resource owner's user agent (ex: browser) is redirected to the identity server (authorization server) for authentication. The resource owner's user agent will have direct access to the access token.
Token endpoint is where the client (ex: Server side API or mobile app) calls to exchange the Authorization Code, Client Id and Client Secret for an access token. In this scenario, the user agent is provided with an Authorization code only, no direct access to the access token. The client is a trusted party with access to client Id and Client secret from the authorization server (That is why I mentioned Server side API as the client).
Please read this article that has even better explanation.