I need to implement Oauth 2.0 protocol. I just want to know if the entire workflow is clear for me, and if I had misunderstood something I'd like you to help me. This is what I understood:
A user, using my client app has to login into my system. He submits email and password (prevently signed up) to a server (maybe a servlet on Tomcat). This servlet validates his credentials, so gives him the grant_type, that in my case is "password" type (or credentials one?). [FIRST QUESTION: does the resource owner issues also CLIENT_ID and CLIENT_SECRET to the user? If so, how should I generate them? If not so, who gives these things to the user? Is the CLIENT_ID the same for every user using my app? SECONDO QUESTION: the grant_type is just a string that show the type of grant (meaning: "password" or "credentials" or "implicit")?]
Now that the user gained the grant_type and have validated credentials, he needs an access_token and a refresh_token. He has to send grant_type, client_id and client_secret to the authentication_server (that wraps also the token_endpoint), and gives him the access_token and refresh_token. Now the user, when has to ask something to the resource_server provides the access_token and the refresh_token. If the access_token is expired, the resource_owner checks if the refresh_token is still valid, and generates another access_token. [THIRD QUESTION: why does the refresh_token is so useful? If a man in the middle stole the request, he will obtain the access_token and also the refresh_token, so although the access_token will expire, he can obtain others using the refresh_token, right? FOURTH QUESTION: does the user has to send ALWAYS the access_token when requestin somethign?]
Thanks to everyone. Have a good day. :D :D
