Oauth

saml: https://github.com/onelogin/java-saml/#Settings

https://hnryjms.io/2014/07/oauth2/
http://scottksmith.com/blog/2014/07/02/beer-locker-building-a-restful-api-with-node-oauth2-server/
http://resources.infosecinstitute.com/securing-web-apis-part-ii-creating-an-api-authenticated-with-oauth-2-in-node-js/#gref

http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

http://blog.csdn.net/seccloud/article/details/8192707

http://stackoverflow.com/questions/12296017/how-to-validate-a-oauth2-0-access-token-for-a-resource-server

http://pic.dhe.ibm.com/infocenter/wsdatap/v6r0m1/index.jsp?topic=%2Fcom.ibm.dp.xi.doc%2Foauth_threeleggedflow.html

http://kejibo.com/oauth2/

http://code.tutsplus.com/articles/oauth-20-the-good-the-bad-the-ugly--net-33216
http://simpleprogrammer.com/2011/05/25/oauth-and-rest-in-android-part-1/
http://simpleprogrammer.com/2011/05/25/oauth-and-rest-in-android-part-2/

http://www.wired.com/2012/12/when-the-answer-is-oauth-what-was-the-question/
http://www.techiecommunity.net/Webservices/REST-Interview-Questions-Answer

What is the difference between HTTP POST and PUT requests?
http://stackoverflow.com/questions/107390/whats-the-difference-between-a-post-and-a-put-http-request
http://java.dzone.com/articles/rest-web-service-interview
http://javarevisited.blogspot.com/2012/01/rest-web-services-framework-interview.html

http://www.iqspdf.com/2014/04/web-service-interview-questions-and-answers-pdf.html

http://www.javaface.com/19-restful-web-service-interview-questions/
.What are the different application integration styles?

The implicit grant flow is primarily targeted at browser-based (e.g. javascript) applications. Browser-based applications cannot maintain a client secret because the source code is located on the browser of the user. These are known as public clients.

One characteristic of this flow is that there is no refresh token, and any time a client requires a new access token for example, expiry, or restarting the browser, then user authorization must be re-obtained. Such authorization may be automated at the service provider, essentially making the requirement be that the user only needs to authenticate to the authorization endpoint, but not actually view or post a consent page.

http://stackoverflow.com/questions/7522831/what-is-the-purpose-of-the-implicit-grant-authorization-type-in-oauth-2

Here are my thoughts:
1)The purpose of auth code + token in authorization code flow is that token and client secret will never be exposed to resource owner because they travel server-to-server.

2)On the other side, If the user-agent and the client are coupled (e.g. native mobile application, javascript application), implicit grant flow is for clients that implemented entirely using javascript and running in resource owner's browser. You do not need any server side code to use this flow. Then, if everything happens in resource owner's browser via hash as stated here:.

http://stackoverflow.com/questions/13387698/why-is-there-an-authorization-code-flow-in-oauth2-when-implicit-flow-works-s

https://www.quora.com/Why-does-OAuth-server-return-a-authorization-code-instead-of-access-token-in-the-first-step

only authorization code is useless, because it has to be used with client id/secret unless the client is implicitly trusted, eg. web browser.

This is why an intermediary one-time-use "authorization code" is provided that only the legitimate receiver will be able to exchange (because you need the client secret) and that the code will be useless to potential hackers intercepting the requests over unencrypted transactions (because they don't know the client secret).

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License