Skip to end of metadata
Go to start of metadata

OAuth2 is a difficult standard to fully understand as it has multiple flows and can support lots of different extensions and the specification is vague in some key areas. To try and get everyone on the same understanding this page is to try and document, from a OpenAM developers point of view, on how the OAuth2 flows and OpenAM's implementation as an OAuth2 Provider is designed and operates.


There are two attachments that detail the flow for the authorize and token endpoints of an OAuth2 provider.

These flow diagrams are based off of the OAuth2 spec, http://tools.ietf.org/html/rfc6749, and do not contain any OpenAM specific design choices.

Im not 100% sure that the diagrams are complete and correct, there still some points to investigate. Feel free to annotate and upload changes/fix that can be incorporated to the main document.

  • No labels