Supporting Terminology

Back-Channel Communication - Communication between two systems that relies on a direct connection without using redirects through an intermediary such as a browser. Occur outside of the view of the resource owner and browser.

  • In the Authorization Code flow, this is how the Client is able to communicate with the Authorization Server without exposing the client_secret to the user.

Front-Channel Communication - Method of using HTTP requests to communicate indirectly between two systems through an intermediary web browser.

  • Isolates the session on either side of the browser, which allows it to work across different security domains.

  • Works by attaching parameters to a URL and indicating that the browser should follow the URL.

    • Receiving party can then parse the incoming URL, as fetched by the browser and consume the presented information.

    • Receiving party can then respond by redirecting the browser back to a URL hosted by the originator, using the same method of adding parameters.

Two-Legged OAuth - Refers to Client and Resource Server.

Three-Legged OAuth - Refers to Client, Resource Server, and Resource Owner (aka User).

Native Applications - Those that run directly on the end user's device.

  • Generally compiled or packaged externally and installed on a device (think of mobile applications)

Relying Party - Application that requires end-user authentication in order to get access to the user's account. In the OAuth world, this is known as the Client.

Trust On First Use (TOFU) - First time a security decision needs to be made at runtime (and there is no existing context or configuration regarding the answer), the user is prompted. The system offers to remember this decision for the future. By doing this, the system strikes a good balance between asking end users to make security decisions and the fatigue of asking the user to constantly make decisions.

Last updated