I have gone through On a high level, how does OAuth 2 work? but i have still some specific questions how oauth 2 works
Here are the sequence of steps for oAuth from stated link
Site-A registers with Site-B, and obtains a Secret and an ID.
When User tells Site-A to access Site-B, User is sent to Site-B where he tells Site-B that he would indeed like to give Site-A permissions to specific information.
Site-B redirects User back to Site-A, along with an Authorization Code.
Site-A then passes that Authorization Code along with its Secret back to Site-B in return for a Security Token.
Site-A then makes requests to Site-B on behalf of User by bundling the Security Token along with requests.
My questions are about below points :-
1) Authentication :- which step and how it is happening. No one explained how authentication actually happens here
My Understanding on this point:- From William Jones answer looks like it is happening at step 2. If yes how its happening ? I believe its happening with
the help of cookies(which are sent automatically when url is hit from same browser instance like jsessionid for java based app if user is already logged in and if not service
provider asks for credentials explicitly ). Is that correct ?
2) Authorization Code :- I am not sure whats the use of the use authorization code here. Why not site-B can straight away give the security token. I mean why step 4 and step 2 can't be merged where sita presents secret code and authenticated data through cookies and site B presents the security token
3) Security/Access Token :- My understanding is once security token is shared, Site B will share the info just based on that.Say Site A has got Security token number as 100 from Site B for user X. Now if user Y of Site A gets some security token (i understand its probably not possible to sniff as its on SSL), then he can access the public info of user X
