OAuth 2.0 is widely used in web applications. What is its main goal?
Think about how apps let you log in using accounts from other services without giving your password.
OAuth 2.0 allows users to grant limited access to their resources on one site to another site without sharing their passwords. It acts as a secure authorization framework.
Given this JSON response from an OAuth 2.0 token endpoint, what is the value of the expires_in field?
{
"access_token": "abc123xyz",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "def456uvw"
}Look for the field that tells how long the access token is valid in seconds.
The expires_in field indicates the lifetime of the access token in seconds. Here, it is 3600 seconds (1 hour).
Consider this simplified OAuth 2.0 authorization code flow snippet. Why does it fail to obtain an access token?
POST /token HTTP/1.1 Host: auth.example.com Content-Type: application/x-www-form-urlencoded client_id=abc&redirect_uri=https://app.example.com/callback&code=xyz123
Think about what the authorization server needs to verify the client identity during token exchange.
In the authorization code flow, the client must send its client_secret along with the client_id to authenticate itself when exchanging the code for an access token. Omitting it causes failure.
Choose the correct syntax for sending an OAuth 2.0 Bearer token in an HTTP request header.
The standard header name and scheme must be used exactly.
The correct header is Authorization with the scheme Bearer followed by the token. Other forms are invalid or non-standard.
Given this OAuth 2.0 token response, how many scopes does the access token have?
{
"access_token": "token123",
"token_type": "Bearer",
"expires_in": 1800,
"scope": "read write delete"
}Count the number of space-separated words in the scope string.
The scope field lists permissions separated by spaces. Here, there are three: read, write, and delete.