What are two steps in the OAuth2 protocol flow? (Choose two.)
What are two steps in the OAuth2 protocol flow? (Choose two.)
In the OAuth2 protocol flow, one of the initial steps involves the user indirectly requesting authorization through the authorization server. This is when the user grants permission to a client application to access their protected resources, which aligns with option C. Another key step is when the user requests an access token by presenting authentication and authorization grant to the authorization server. This is captured in option D, where the server uses the authentication and authorization grant to issue an access token to the client application. Therefore, the correct answers are the user indirectly requests authorization and the request for an access token following authentication and the presentation of the authorization grant.
A can't be correct because a user is not granted an access token. It's issued to a client / app. B can't be correct because the credentials are validated by the authorization server. The resource server validates client's / app's access token. D can't be correct because a user doesn't request an access token. A client / app does. I would go with C because a user wants an authorization server to authorize the client /app. E could be correct because user requests a protected resource (which is accessed by a client / app) and he uses his original credentials which are not shared with the client / app. It uses the authorization code grant flow to get access.
I think the question is wrong and some "user" should be replaced with "client"
The correct answers are C. The user indirectly requests authorization through the authorization server and A. The user is authenticated by the authorization server and granted an access token. The OAuth2 protocol flow is a process that allows users to grant third-party applications access to their protected resources. The flow consists of four steps: The user indirectly requests authorization through the authorization server. The user is authenticated by the authorization server and granted an access token. The user requests the protected resource from the resource server using the access token. The resource server validates the access token and grants access to the protected resource.
Just a reference, ChatGPT say the answer was A & C
Asked ChatGPT too, would also go with AC
Two steps in the OAuth2 protocol flow are: C. The user indirectly requests authorization through the authorization server. D. The user requests an access token by authentication and authorization grant presentation. In OAuth2, the flow typically involves the following steps: The user indirectly requests authorization through the authorization server (step C). This involves the user granting permission to a client application to access their protected resources. The user then requests an access token by presenting authentication and authorization grant to the authorization server (step D). The authorization grant may include information like the user's identity and the client's identity, which the authorization server uses to issue an access token.
All of them seem wrong. A The user (resource owner) doesn't request an Access token. B is incorrect as the original credentials are never sent to the resource server, only an access token. C The user is the one giving permission. E is wrong for the same reason. It is also wrong as the user isn't the one requesting the resource from the resource server. The client does. D is wrong as the user requests an auth token, not an access token. The access token is requested by the client using the auth token
Source: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 1. The application requests authorization to access service resources from the user 2. If the user authorized the request, the application receives an authorization grant 3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant 4. If the application identity is authenticated and the authorization grant is valid (option D), the authorization server (API) issues an access token to the application (option A). Authorization is complete. 5. The application requests the resource from the resource server (API) and presents the access token for authentication 6. If the access token is valid, the resource server (API) serves the resource to the application
Sorry for my mistake I am confusing between the client(Application)and user(resource owner). I will go with A, E.
sorry A, C
A&E kind of looks like the best options, but E is actually a bit weird. Strictly speaking, I think the user requests the protected resource by interacting with the Auth server, and not the resource server. But not too sure... I'm not too big on OAuth.
For me the solution is A and C
ChatGPT says: Answers: A. The user is authenticated by the authorization server and granted an access token. and D. The user requests an access token by authentication and authorization grant presentation.
Description provide by johntermlen fully correct
i think the given answer AE is correct.
Just hoping that the wording is incorrect or has been corrected in the meanwhile, or that this question do not appear on the final exam...
A & D User here means the client app, not the resource owner. E is incorrect. Client uses access token to request resource from the resource server, not the original credentials.
A and E. https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
If C would state "client" then it would be a valid option, see https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
I would said C and E are correct answers