The client provides an access token to the resource server to access protected resources. The resource server must validate and verify that the access token is valid and has not expired.
There are two standard ways of sending credentials −
Bearer Token − The access token can only be placed in POST request body or GET URL parameter as a fallback option in the authorization HTTP header.
They are included in the authorization header as follows −
Authorization: Bearer [token-value]
For Example −
GET/resource/1 HTTP /1.1 Host: example.com Authorization: Bearer abc...
MAC − A cryptographic Message Authentication Code (MAC) is computed using the elements of the request and is sent to the authorization header. Upon receiving the request, the MAC is then compared and computed by the resource owner.
The following table shows the concepts of accessing protected resource.
Sr.No. | Concept & Description |
---|---|
1 | Authenticated Requests
It is used to get the authorization code token for accessing the owner resources in the system. |
2 | The WWW-Authenticate Response Header Field
The resource server includes the "WWW-Authenticate" response header field, if the protected resource request contains an invalid access token. |