Re: [OAUTH-WG] OAuth 2 flow diagrams

"Anganes, Amanda L" <> Tue, 07 February 2012 14:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7FF7321F85C0 for <>; Tue, 7 Feb 2012 06:46:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CFCKNtrSDXek for <>; Tue, 7 Feb 2012 06:46:15 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 9D2A421F87EB for <>; Tue, 7 Feb 2012 06:46:15 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 3E33B21B12C4 for <>; Tue, 7 Feb 2012 09:46:15 -0500 (EST)
Received: from IMCCAS03.MITRE.ORG ( []) by (Postfix) with ESMTP id 2D36821B12C3 for <>; Tue, 7 Feb 2012 09:46:15 -0500 (EST)
Received: from IMCMBX04.MITRE.ORG ([]) by IMCCAS03.MITRE.ORG ([]) with mapi id 14.01.0339.001; Tue, 7 Feb 2012 09:46:14 -0500
From: "Anganes, Amanda L" <>
To: "" <>
Thread-Topic: OAuth 2 flow diagrams
Thread-Index: Aczif4PCcrk7k9BXRael3a751ffYQADJuVhw
Date: Tue, 07 Feb 2012 14:46:13 +0000
Message-ID: <B61A05DAABADEA4EA2F19424825286FA181D1050@IMCMBX04.MITRE.ORG>
References: <B61A05DAABADEA4EA2F19424825286FA181D05DF@IMCMBX04.MITRE.ORG>
In-Reply-To: <B61A05DAABADEA4EA2F19424825286FA181D05DF@IMCMBX04.MITRE.ORG>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_B61A05DAABADEA4EA2F19424825286FA181D1050IMCMBX04MITREOR_"
MIME-Version: 1.0
Subject: Re: [OAUTH-WG] OAuth 2 flow diagrams
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Feb 2012 14:46:17 -0000

Hello again,

Based on some feedback I have received I have updated my diagrams. Changes are listed below, and the link ( will always point to the latest version.

* Changed the title of the diagrams to "OAuth 2.0 Authorization" (from "OAuth 2.0 Authentication", which was incorrect).

* Removed refresh_token from the Access Token response on the Client Credentials flow.
Ref: says "A refresh token SHOULD NOT be included."

* Changed "Consumer" to "Client" to better match the 2.0 terminology.

Amanda Anganes
Info Sys Engineer, G061
The MITRE Corporation

From: [] On Behalf Of Anganes, Amanda L
Sent: Friday, February 03, 2012 9:24 AM
Subject: [OAUTH-WG] OAuth 2 flow diagrams


I've developed a set of flow diagrams for the OAuth 2.0 spec, with separate diagrams for the Access Code, Implicit Grant, Resource Owner Password Credentials, and the Client Credentials flows. These were inspired by the diagrams for 1.0 and 1.0a that Idan Gazit posted in, which Justin Richer pointed me to when I first started trying to read and understand the OAuth2.0 spec. I find these types of diagrams to be incredibly useful, so I updated them again to (hopefully) reflect the 2.0 spec.

I'd appreciate any comments/corrections. If anyone finds the diagrams to be useful, please feel free to rehost or reference them.


Amanda Anganes
Info Sys Engineer, G061
The MITRE Corporation