OAuth Overview - Miscellaneous Documentation

[awatson1978]

And is the following diagram in alignment with this source code implementation? Specifically, would resourceOwner in the source code match the ResourceOwner (User) or the Client Application?

[vangorra]

In the diagram, the roles of the "Resource Server" and "Authorization Server" are both handled by the the "resourceOwner" example in this repo. So the inter communication between those two is a bit confusing. This functionality is provided by the meteor-oauth2-server package.

The role of "Client Application" is handled by the "resourceServer" example and it's functionality is provided by the meteor-oauth2-client package.

Without some extra meta-data, this diagram is confusing. Here is some information that should help clear up the process. Step 1: User initiated initiated behavior via HTTP GET. Step 2: Also user initiated. Typically by clicking the "Login with " button. Step 3: Client browser is is redirected to the "Client Application" with the authorization code. Step 4: "Client Application" performs direct server-to-server communication to verify the authorization code and get a access token. Step 5: "Client Application" can use the access token to get data from the "Resource Server". The "Resource Server" will verify the access token for each request.

[awatson1978]

Excellent. This is exactly why I decided to ask! :)

I'll update this diagram, and post a revision in a bit.

[awatson1978]

Okay, so I don't think this diagram is the one to use. It's iconography and colors make it friendly at first glance, and it gives a clear depiction of the different entitites involved in the flow. However, the network sequence is hand-wavy and inexact and confusing. Will be rolling the good points of this diagram into the others.