{"id":108336,"date":"2021-01-12T07:00:00","date_gmt":"2021-01-12T05:00:00","guid":{"rendered":"https:\/\/www.javacodegeeks.com\/?p=108336"},"modified":"2021-01-07T21:06:19","modified_gmt":"2021-01-07T19:06:19","slug":"oauth2-bearer-token-usage","status":"publish","type":"post","link":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html","title":{"rendered":"OAuth2 Bearer Token Usage"},"content":{"rendered":"<p>I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating) specifications, as you can imagine. It is critical that they be written in such a way that two independent parties can build interoperable implementations without relying on each other\u2019s code. With this in mind, let\u2019s have a brief chat about <a href=\"https:\/\/tools.ietf.org\/html\/rfc6750\">OAuth2 Bearer Token Usage<\/a> with a focus on the token\u2019s encoding.<\/p>\n<p>But first, let\u2019s have a briefly talk about what OAuth2 <em>is<\/em>.<\/p>\n<h2>What is OAuth 2.0?<\/h2>\n<p>OAuth2 is an authorization <strong><em>framework<\/em><\/strong> defined by <a href=\"https:\/\/tools.ietf.org\/html\/rfc6749\">RFC6749<\/a> outlining the overall flow of messages between three actors: a \u201cclient\u201d, a resource owner (RO), and an authorization server (AS). You might know the first two respectively as \u201crelying party\u201d and \u201cuser\u201d. Those of you familiar with <a href=\"https:\/\/openid.net\/specs\/openid-connect-core-1_0.html\">OpenID Connect<\/a> also know the AS as the \u201cIdentity Provider\u201d.<\/p>\n<p>At its heart, OAuth2 is all about a user authorizing a relying party to access their data hosted by an API protected by the authorization server. Note that it does <em>not<\/em> authorize <em>the user<\/em> themselves to access the API. The job of the AS is to collect and record the user\u2019s <em>consent<\/em> to authorize the relying party access.<\/p>\n<p>You might have noticed the emphasis on <em>framework<\/em> above. That is because RFC6749 deliberately avoids normative text defining many implementation details. Stepping back a bit, all RFC6749 says is that there is a client that requests access to a resource protected by an authorization server, and that the resource owner must approve this access. Once authorized, the client obtains an <em>access token<\/em> to consume the resource.<\/p>\n<p>OAuth2 relies on the <a href=\"https:\/\/tools.ietf.org\/html\/rfc2616\">HTTP protocol<\/a> and defines the basic structure of the messages flowing between its actors. Relevant to the topic at hand is the <a href=\"https:\/\/tools.ietf.org\/html\/rfc6749#section-7.1\"><code>token_type<\/code><\/a> included in the response to the client. As per the RFC, this attribute \u201cprovides the client with the information required to successfully utilize the access token to make a protected resource request\u201d.<\/p>\n<h2>OAuth 2.0 Bearer Token Usage<\/h2>\n<p><a href=\"https:\/\/tools.ietf.org\/html\/rfc6750\">RFC6750<\/a> is the normative specification for how to use OAuth 2.0 Bearer tokens.<\/p>\n<p>What are \u201cBearer Tokens\u201d?<\/p>\n<p>Recall the <code>token_type<\/code> attribute from above. It turns out that if the access token response indicates the token\u2019s type is <code>Bearer<\/code>, then it is a \u201cbearer token\u201d as defined in RFC6750, which means:<\/p>\n<ul>\n<li><a href=\"https:\/\/tools.ietf.org\/html\/rfc6750#section-1.2\">Any party in possession of the token can use it<\/a>, and<\/li>\n<li>It must be presented in a specific way (as defined in RFC6750).<\/li>\n<\/ul>\n<p>This is, by far, the most common type of access token in use on the web today.<div style=\"display:inline-block; margin: 15px 0;\"> <div id=\"adngin-JavaCodeGeeks_incontent_video-0\" style=\"display:inline-block;\"><\/div> <\/div><\/p>\n<p>Great! I want to integrate social logins into my uber-mega website and disrupt a market overnight! Let\u2019s get started!<\/p>\n<h2>The misdirection<\/h2>\n<p>You have implemented one of the OAuth 2 grant types (aka \u201cflows\u201d) as a client and the AS has issued a <code>Bearer<\/code> access_token to you. What now? How do we use this token?<\/p>\n<p>Luckily for us, RFC6750 tells us exactly what to do! Or does it? Let\u2019s explore my thought process on my first attempt at an implementation:<\/p>\n<ul>\n<li>The client must format an <a href=\"https:\/\/tools.ietf.org\/html\/rfc6750#section-2.1\"><code>Authorization<\/code> HTTP header<\/a> with the token in a certain way.<\/li>\n<li>The syntax of bearer tokens includes a <code>b64token<\/code>: `b64token = 1*( ALPHA \/ DIGIT \/ \u201c-\u201c \/ \u201c.\u201d \/ \u201c_\u201d \/ \u201c~\u201d \/ \u201c+\u201d \/ \u201c\/\u201d ) *\u201d=\u201d<\/li>\n<li>This strongly suggests that <a href=\"https:\/\/tools.ietf.org\/html\/rfc4648#section-4\">Base64 encoding<\/a> is involved in some way<\/li>\n<li>But, who encodes the access_token in Base64?<\/li>\n<li>Recall that the access_token is <a href=\"https:\/\/tools.ietf.org\/html\/rfc6749#section-1.4\">usually opaque to the client<\/a>.<\/li>\n<li>Note that <a href=\"https:\/\/tools.ietf.org\/html\/rfc7230#section-3.2.6\">HTTP headers can have almost any US-ASCII character<\/a><\/li>\n<li>Also recall that the access_token pretty much consists of <a href=\"https:\/\/tools.ietf.org\/html\/rfc6749#appendix-A.12\">all printable characters<\/a> &#8211; a superset of Base64<\/li>\n<li>If the access_token is opaque to the client (I shouldn\u2019t attempt to parse it), and it can also consist of invalid Base64 characters, then surely the client must Base64-encode the <code>Bearer<\/code> token, right?<\/li>\n<\/ul>\n<p>But are we sure? Let\u2019s double check with RFC6750:<\/p>\n<ul>\n<li>The syntax of the \u201cAuthorization\u201d header field for this scheme follows the usage of the Basic scheme defined in Section 2 of RFC2617<\/li>\n<li>Following through we find that RFC2617 defines the <code>Basic<\/code> HTTP Authentication Scheme that <strong>also uses the <code>Authorization<\/code> HTTP header and Base64 to encode the credentials<\/strong><\/li>\n<\/ul>\n<p>Putting it all together:<\/p>\n<ul>\n<li>RFC6750 defines how to use OAuth 2.0 Bearer Tokens<\/li>\n<li>Must put the access_token in the <code>Authorization<\/code> header<\/li>\n<li>The syntax includes a character space identified by <code>b64token<\/code><\/li>\n<li>This usage follows the <code>Basic<\/code> scheme in RFC2617<\/li>\n<li>RFC2617 uses Base64 encoding<\/li>\n<\/ul>\n<p>Great! All I have to do is encode the access_token in Base64 before putting it in the <code>Authorization<\/code> header. I\u2019m ready to integrate my social logins!<\/p>\n<blockquote>\n<p><strong>Narrator:<\/strong> He was not ready for integration.<\/p>\n<\/blockquote>\n<h2>The reality<\/h2>\n<p>Bearer tokens are laid bare in the <code>Authorization<\/code> header.<\/p>\n<p>None of the existing implementations expect the access_token to be encoded in Base64 in the <code>Authorization<\/code> header. See for example:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-oauth2-auth-code-flow#use-the-access-token\">Microsoft Identity Platform<\/a><\/li>\n<li><a href=\"https:\/\/docs.github.com\/en\/free-pro-team@latest\/developers\/apps\/authorizing-oauth-apps#3-use-the-access-token-to-access-the-api\">GitHub\u2019s <em>Authorizing OAuth Apps<\/em><\/a><\/li>\n<li><a href=\"https:\/\/github.com\/ory\/oathkeeper\/issues\/597\">An issue I filed with ORY Oathkeeper<\/a> (only for me to subsequently realize my own confusion)<\/li>\n<\/ul>\n<p>What gives? Did everyone else get it wrong? (because <em>of course<\/em><strong> I <\/strong>interpreted the spec correctly!)<\/p>\n<h2>Lessons learned<\/h2>\n<p>It is <strong>important<\/strong> that specifications have precise normative text around how messages are constructed and processed in order to be interoperable. If there are algorithms involved, <strong>specify them step-by-step<\/strong>.<\/p>\n<p>It is <strong>important<\/strong> that normative text be labelled as such.<\/p>\n<p>It is <strong>important<\/strong> to identify each role and their respective responsibilities and algorithms.<\/p>\n<p>In my opinion, a good example showcasing the previous points is <a href=\"https:\/\/www.w3.org\/TR\/webauthn\">Web Authentication<\/a> where:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.w3.org\/TR\/webauthn\/#sctn-api\">The high-level architecture is clearly depicted in diagrams<\/a><\/li>\n<li>Non-normative sections are clearly labelled.<\/li>\n<li>The interfaces are clearly defined<\/li>\n<li>Algorithms are explained in detail. Example: <a href=\"https:\/\/www.w3.org\/TR\/webauthn\/#sctn-createCredential\">Create a new credential<\/a><\/li>\n<\/ul>\n<p>I\u2019m still grappling with a real consolidation of RFC6750 with reality. If I squint just right I can see that when RFC6750 says \u201cThe syntax for Bearer credentials is as follows\u201d it was unnecessarily informing the <em>client developer<\/em> what the syntax of the token is. In hindsight, this seems to be a (rather terse) message meant for implementers of Authorization Servers. I think an improved version of this section would have been split into several parts, each directed at different audiences: one for developers of clients, another for developers of authorization servers, and another for developers of resource servers. However, the text in RFC6750 remains terse and mixes multiple implementation details that concern the different actors in a different manner.<\/p>\n<p>Another improvement would be to rely less on <em>examples<\/em> and to provide normative descriptions the (very simple) processing algorithms that construct and parse these messages. That would have cleared up most of the confusion in the section 2.1, although the language itself could have used stronger wording. Indeed, the non-normative text in section 7.1 of RFC6749 has stronger wording than that in RFC6750!<\/p>\n<p>No matter what, as an implementer: <strong>always<\/strong> verify your understanding of a specification against other implementations!<\/p>\n<div class=\"attribution\">\n<table>\n<tbody>\n<tr>\n<td>Published on Java Code Geeks with permission by George Aristy, partner at our <a href=\"\/\/www.javacodegeeks.com\/join-us\/jcg\/\" target=\"_blank\" rel=\"noopener\">JCG program<\/a>. See the original article here: <a href=\"https:\/\/llorllale.github.io\/oauth2-token-bearer-usage\/\" target=\"_blank\" rel=\"noopener\">OAuth2 Bearer Token Usage<\/a><\/p>\n<p>Opinions expressed by Java Code Geeks contributors are their own.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating) specifications, as you can imagine. It is critical that they be written in such a way that two independent parties can build interoperable implementations without relying on each other\u2019s code. &hellip;<\/p>\n","protected":false},"author":81839,"featured_media":112,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[1433],"class_list":["post-108336","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-enterprise-java","tag-oauth2"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>OAuth2 Bearer Token Usage - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating)\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"OAuth2 Bearer Token Usage - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating)\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html\" \/>\n<meta property=\"og:site_name\" content=\"Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/george.aristy.7\" \/>\n<meta property=\"article:published_time\" content=\"2021-01-12T05:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"George Aristy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@llorllale\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"George Aristy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html\"},\"author\":{\"name\":\"George Aristy\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/b6b3cafa29408f926efd3a67131eefaa\"},\"headline\":\"OAuth2 Bearer Token Usage\",\"datePublished\":\"2021-01-12T05:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html\"},\"wordCount\":1153,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"keywords\":[\"OAuth2\"],\"articleSection\":[\"Enterprise Java\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html\",\"name\":\"OAuth2 Bearer Token Usage - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"datePublished\":\"2021-01-12T05:00:00+00:00\",\"description\":\"I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating)\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#primaryimage\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2012\\\/10\\\/enterprise-java-logo.jpg\",\"width\":150,\"height\":150,\"caption\":\"java-interview-questions-answers\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/2021\\\/01\\\/oauth2-bearer-token-usage.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Enterprise Java\",\"item\":\"https:\\\/\\\/www.javacodegeeks.com\\\/category\\\/java\\\/enterprise-java\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"OAuth2 Bearer Token Usage\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#website\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Developers Resource Center\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.javacodegeeks.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"contentUrl\":\"https:\\\/\\\/www.javacodegeeks.com\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/javacodegeeks\",\"https:\\\/\\\/x.com\\\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.javacodegeeks.com\\\/#\\\/schema\\\/person\\\/b6b3cafa29408f926efd3a67131eefaa\",\"name\":\"George Aristy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cfc97f0086808d01619108cb3ac598726cb7198048328ef5c0c4858b2ddddc27?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cfc97f0086808d01619108cb3ac598726cb7198048328ef5c0c4858b2ddddc27?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cfc97f0086808d01619108cb3ac598726cb7198048328ef5c0c4858b2ddddc27?s=96&d=mm&r=g\",\"caption\":\"George Aristy\"},\"description\":\"Software Engineer experienced in digital identity authentication and authorization and SOA. Proficient in Go and Java.\",\"sameAs\":[\"https:\\\/\\\/llorllale.github.io\\\/\",\"https:\\\/\\\/www.facebook.com\\\/george.aristy.7\",\"https:\\\/\\\/linkedin.com\\\/in\\\/georgearisty\",\"https:\\\/\\\/x.com\\\/llorllale\"],\"url\":\"https:\\\/\\\/www.javacodegeeks.com\\\/author\\\/george-aristy\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"OAuth2 Bearer Token Usage - Java Code Geeks","description":"I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating)","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html","og_locale":"en_US","og_type":"article","og_title":"OAuth2 Bearer Token Usage - Java Code Geeks","og_description":"I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating)","og_url":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html","og_site_name":"Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_author":"https:\/\/www.facebook.com\/george.aristy.7","article_published_time":"2021-01-12T05:00:00+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","type":"image\/jpeg"}],"author":"George Aristy","twitter_card":"summary_large_image","twitter_creator":"@llorllale","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"George Aristy","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#article","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html"},"author":{"name":"George Aristy","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/b6b3cafa29408f926efd3a67131eefaa"},"headline":"OAuth2 Bearer Token Usage","datePublished":"2021-01-12T05:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html"},"wordCount":1153,"commentCount":0,"publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","keywords":["OAuth2"],"articleSection":["Enterprise Java"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html","url":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html","name":"OAuth2 Bearer Token Usage - Java Code Geeks","isPartOf":{"@id":"https:\/\/www.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#primaryimage"},"image":{"@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#primaryimage"},"thumbnailUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","datePublished":"2021-01-12T05:00:00+00:00","description":"I have immersed myself in the digital identity space for the past few years. A good chunk of this work involves reading (and sometimes creating)","breadcrumb":{"@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#primaryimage","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2012\/10\/enterprise-java-logo.jpg","width":150,"height":150,"caption":"java-interview-questions-answers"},{"@type":"BreadcrumbList","@id":"https:\/\/www.javacodegeeks.com\/2021\/01\/oauth2-bearer-token-usage.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"Java","item":"https:\/\/www.javacodegeeks.com\/category\/java"},{"@type":"ListItem","position":3,"name":"Enterprise Java","item":"https:\/\/www.javacodegeeks.com\/category\/java\/enterprise-java"},{"@type":"ListItem","position":4,"name":"OAuth2 Bearer Token Usage"}]},{"@type":"WebSite","@id":"https:\/\/www.javacodegeeks.com\/#website","url":"https:\/\/www.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Developers Resource Center","publisher":{"@id":"https:\/\/www.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/www.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/www.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/www.javacodegeeks.com\/#\/schema\/person\/b6b3cafa29408f926efd3a67131eefaa","name":"George Aristy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/cfc97f0086808d01619108cb3ac598726cb7198048328ef5c0c4858b2ddddc27?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cfc97f0086808d01619108cb3ac598726cb7198048328ef5c0c4858b2ddddc27?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cfc97f0086808d01619108cb3ac598726cb7198048328ef5c0c4858b2ddddc27?s=96&d=mm&r=g","caption":"George Aristy"},"description":"Software Engineer experienced in digital identity authentication and authorization and SOA. Proficient in Go and Java.","sameAs":["https:\/\/llorllale.github.io\/","https:\/\/www.facebook.com\/george.aristy.7","https:\/\/linkedin.com\/in\/georgearisty","https:\/\/x.com\/llorllale"],"url":"https:\/\/www.javacodegeeks.com\/author\/george-aristy"}]}},"_links":{"self":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/108336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/users\/81839"}],"replies":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=108336"}],"version-history":[{"count":0,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/108336\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media\/112"}],"wp:attachment":[{"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=108336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=108336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=108336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}