Documentation


OAuth2 Assertion Flow

In order to understand the Assertion Flow, it's necessary to describe the following concepts:

  • OAuth Client: Application that uses OAuth to access the OAuth Server on behalf of the user or on his own behalf.
  • OAuth Authorization Server: HTTP server that with an OAuth Client's request is capable of issuing tokens that give access to the resources.
  • OAuth Server: HTTP Server that has got the protected resources and denies or grants the access to them depending on the token given within the Client's request.
  • Token:A string representing an access grant issued to the client that has to be delivered to the OAuth Server in order to access to the resource.

OAuth 2 provides a protected resources authorization's delegation to different Trust Authorities.

The Client, in order to access a protected resource, must obtain first an Authorization Server's authorization, in the form of tokens.

This token is obtained by sending some credentials to the Authorization Server.

To get the resource, the client will have to give the resource Server the token obtained, and if it's a valid one, the Server returns the resource.

Authorization Flow

In this authorization flow, the peculiarity is that the credentials sent to the Authorization Server are assertions provided by an SP. So far, this library supports SAML2 and PAPI assertions.

The steps taken in order to obtain the protected resource are:

  1. The user goes to a Client Application.
  2. In the Client App, the user authenticates in an external SP that generates a SAML or PAPI assertion.
  3. The Client App sends the assertion obtained to an Authorization Server. There, a token for a certain user, client, scope and lifetime is generated.
  4. The Authorization Server sends the generated token to the Client App.
  5. The Client App acts on behalf of the user and requests the resource to the Server. This token can be used more times until it expires.
  6. The Server returns the resource if the token sent is a valid token.

See the sections of the Client Application, Authorization Server and Server for more information about how them works.

For downloading the code and more installation notes, check the code section.