summaryrefslogtreecommitdiff
path: root/docs/oauth2/clients/client.rst
blob: 8486f3db03a5940ec1f851304848125c2bd83526 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

======================
OAuth 2: Using Clients
======================

OAuthLib supports all four core grant types defined in the OAuth 2 RFC and
will continue to add more as they are defined. For more information on how
to use them please browse the documentation for each client type below.

.. toctree::
    :maxdepth: 2

    baseclient
    webapplicationclient
    mobileapplicationclient
    legacyapplicationclient
    backendapplicationclient

**A few notes on security**
    OAuth 2 is much simpler to implement for clients than OAuth 1 as
    cryptographic signing is no longer necessary. Instead a strict
    requirement on the use of TLS for all connections have been
    introduced::

        # OAuthLib will raise errors if you attempt to interact with a
        # non HTTPS endpoint during authorization.
        # However OAuthLib offers no such protection during token requests
        # as the URI is not provided, only the request body.

    Note that while OAuth 2 is simpler it does subtly transfer a few important
    responsibilities from the provider to the client. Most notably that the client
    must ensure that all tokens are kept secret at all times. Access to protected
    resources using Bearer tokens provides no authenticity of clients which means
    that a malicious party able to obtain your tokens can use them without the
    provider being able to know the difference. This is unlike OAuth 1 where a
    lost token could not be utilized without the client secret and the token
    bound secret, since they are required for the signing of each request::

        # DO NOT REGISTER A NON-HTTPS REDIRECTION URI
        # OAuthLib will raise errors if you attempt to parse a response
        # redirect back to a insecure redirection endpoint.

**Existing libraries**
    If you are using the `requests`_ HTTP library you may be interested in using
    `requests-oauthlib`_ which provides an OAuth 2 Client. This client removes much
    of the boilerplate you might otherwise need to deal with when interacting
    with OAuthLib directly.

    If you are interested in integrating OAuth 2 support into your favourite
    HTTP library you might find the requests-oauthlib implementation interesting.

    .. _`requests`: https://github.com/kennethreitz/requests
    .. _`requests-oauthlib`: https://github.com/requests/requests-oauthlib
View Lorry Controller Status