As I understand the way OAuth2 works:
There is:
a) client browser
b) Resource Server
c) Authorization server (for example facebook)
1.1 The browser is accessing the resource-server, which gives the answer 401.
2.1 A user enters a username / password from an auth server with his hands, the browser goes to an auth-server, sending him a login / password by post.
2.2 Auth-server gives the browser some kind of token, which will be a confirmation that the browser has logged in to the auth-server.
3.1 The browser goes to the auth-server, sending it the previously received token, as well as cliend_id - the id of the resource server application it wants to access.
3.2 Auth server gives the browser code.
4.1 The browser goes to the resource-server, passing it a code.
4.2 Resource-server receives the code and goes with it to the auth-server, it generates access_token and refresh_token, gives them to the resource-server.
4.3 Resource-server transfers the received access_token and refresh_token to the browser.
5.1 The browser goes to the resource-server, passing it an access_token,
5.2 Resource-server verifies the validity of the access-token by sending it to the auth-server
5.3 After receiving a reply from the auth server that the access_token is valid, it sends the requested resource to the browser.
It turns out that the browser receives access_token not from the auth server, but from the resource server.
- Do I understand correctly the interaction between the client browser, the resource server and the auth server?
In this case, if there is another resource server that is authenticated through the same auth-server, then the client’s browser accessing it without an auth token will receive a response 401. Then the browser will prompt the user to enter the login / password from the auth server, and then the same actions.
- If so, then this scheme does not relieve the user from re-entering the login / password for each new application, despite the fact that they all use the same auth-server?
3. How is not just authentication verified, but also user authorization? Those. where do we check user roles?
