How to validate an OAuth 2.0 access token for a resource server?

by

Google way

Google Oauth2 Token Validation

Request:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg

Respond:

{
  "audience":"8819981768.apps.googleusercontent.com",
  "user_id":"123456789",
  "scope":"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  "expires_in":436
}

Microsoft way

Microsoft – Oauth2 check an authorization

Github way

Github – Oauth2 check an authorization

Request:

GET /applications/:client_id/tokens/:access_token

Respond:

{
  "id": 1,
  "url": "https://api.github.com/authorizations/1",
  "scopes": [
    "public_repo"
  ],
  "token": "abc123",
  "app": {
    "url": "http://my-github-app.com",
    "name": "my github app",
    "client_id": "abcde12345fghij67890"
  },
  "note": "optional note",
  "note_url": "http://optional/note/url",
  "updated_at": "2011-09-06T20:39:23Z",
  "created_at": "2011-09-06T17:26:27Z",
  "user": {
    "login": "octocat",
    "id": 1,
    "avatar_url": "https://github.com/images/error/octocat_happy.gif",
    "gravatar_id": "somehexcode",
    "url": "https://api.github.com/users/octocat"
  }
}

Amazon way

Login With Amazon – Developer Guide (Dec. 2015, page 21)

Request : 

https://api.amazon.com/auth/O2/tokeninfo?access_token=Atza|IQEBLjAsAhRmHjNgHpi0U-Dme37rR6CuUpSR...

Response :

HTTP/l.l 200 OK
Date: Fri, 3l May 20l3 23:22:l0 GMT 
x-amzn-RequestId: eb5be423-ca48-lle2-84ad-5775f45l4b09 
Content-Type: application/json 
Content-Length: 247 

{ 
  "iss":"https://www.amazon.com", 
  "user_id": "amznl.account.K2LI23KL2LK2", 
  "aud": "amznl.oa2-client.ASFWDFBRN", 
  "app_id": "amznl.application.436457DFHDH", 
  "exp": 3597, 
  "iat": l3ll280970
}

More Related Contents:

  1. How is OAuth 2 different from OAuth 1?
  2. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  3. Why do access tokens expire?
  4. OAuth 2.0: Benefits and use cases — why?
  5. What is the purpose of the implicit grant authorization type in OAuth 2?
  6. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  7. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  8. OAuth 2.0 with Google Analytics API v3
  9. gapi.auth.signOut(); not working I’m lost
  10. LinkedIn OAuth2: “Unable to verify access token”
  11. OAuth Authorization vs Authentication
  12. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  13. Get user info via Google API
  14. Can I really not ship open source with Client ID? [closed]
  15. CORS issue while making an Ajax request for oauth2 access token
  16. How to validate Azure AD security token?
  17. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  18. What are the main differences between JWT and OAuth authentication?
  19. What is the OAuth 2.0 Bearer Token exactly?
  20. Is there any JSON Web Token (JWT) example in C#?
  21. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  22. Spring OAuth redirect_uri not using https
  23. Sign in with Google temporarily disabled for this app
  24. Disable checkboxes on Google consent screen
  25. What exactly is OAuth (Open Authorization)?
  26. Twitter API – Logout
  27. client secret in OAuth 2.0
  28. where is devise implementation of “authenticate_user!” method?
  29. Google API OAuth2, Service Account, “error” : “invalid_grant”
  30. Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

Leave a Comment