In Oauth2 where are the resources that the resource owner owns?

1
votes

I have been trying to understand about OAuth2 in my question here

Suppose I use my Facebook account to log in to a web site (say Stack Overflow ) via OAuth2. I understand that I am the "resource owner" but which resources am I owning in this scenario?

My things in Facebook or my things in Stack Overflow?

From this Oauth for dummies article it would seem the resources are in Facebook, but from the answers to my question it would seem the resources are in Stack Overflow.

Are the resources the same as the scopes?

[Update]

Looking at the overview here

I learned that

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

Also

The OpenID Connect protocol, in abstract, follows the following steps.

  1. The RP (Client) sends a request to the OpenID Provider (OP).
  2. The OP authenticates the End-User and obtains authorization.
  3. The OP responds with an ID Token and usually an Access Token.
  4. The RP can send a request with the Access Token to the UserInfo Endpoint.
  5. The UserInfo Endpoint returns Claims about the End-User.

diagram

2
oauth-2.0openid-connectazure-ad-b2c
stackoverflow.com/questions/4727226/…Kirsten
I got more clarity about my pain reading hueniverse.com/oauth-2-0-and-the-road-to-hell-8eec45921529Kirsten

2 Answers

1
votes

In the above scenario, you as the resource owner authorize access by Stack Overflow as the client application to your Facebook account as the owned resource.

The application's access to your Facebook account is limited to scope of the authorized access.

1
votes

Suppose I use my Facebook account to log in to a web site (say Stack Overflow ) via OAuth2. I understand that I am the "resource owner" but which resources am I owning in this scenario?

First, some websites like SO is actually using OpenID Connect with authorization/authentication, not just OAuth2.0. (Because OAuth2.0 has some limitaions with its features. Especially authentication.)

In this scenario, the website(SO) is the resource definitely. However, the web site like stack overflow uses OpenID Connect which based on Oauth 2.0 to do authentication/authorization. And it's to all customers(2C,not 2B). in this scenario, Facebook account is as a social account in SO. This needs to be configured both Identity providers.

In OAuth, widely speaking, after you signing up SO, you can access the SO, you are the owner of the SO. But strictly speaking, we are just a common user in SO, not the real Owner of this website. This depends on the backend logic of this app/website. In OpenID Connect, you are the End User.

Resource Owner is just a definition in OAuth2.0, we can understand it with the real scenarios. It just means users who can access the resource.

My things in Facebook or my things in Stack Overflow?

I assume that My things mean user profile. It should be in Stack Overflow. As the above I mentioned, Facebook account is just a social account provider for SO. You can login the SO with social accounts, but SO should also create user profile for you and save it to database.

For this scenario, it should be about OpenID Connect. I think you should refer to this protocol in this documentation.

Additional, The scenario like the one in your question should be B2C web app/api. Azure AD B2C is the feature which can achieve this scenario and help you understand the OpenID connect protocols.

Hope this helps!

Update:

Generally, the OP is the origin of users profile. However, the RP also needs to get user profile and also create some user profile in its own database. Of course, as Chris said, Facebook account is the EndUser and resource owner widely speaking.