...
DataVaultCompany allows its registred users registered users to store information ranging from their name, email and physical address to their visa card numbers and pension and health insurance policies.
DataVaultCompany has very strict authentication and customer verification procedures as well as high data integrity so the information it holds on behalf of its customers is extremely accurate, and ranging from semi-public information to extremely private and highly secured information.
Now, a brooker broker company (TheBrokerCompany) wishes to provide a service to some user where it needs the end users user's verified name and address. It also provides premium services to customers like helping them select the correct pension insurance provider.
...
So, when the user accesses TheBrokerCompany’s website then they redirect the users browser to DataVaultCompany using an Oauth2 “Authorization Request” – the enduser end user identifies himself to DataVaultCompany and allows TheBrokerCompany to access his name and email address, which TheBrokerCompany knows to be verified by DataVaultCompany.
So, TheBrokerCompany receives an Oauth2 “Authorization Grant” with an authorization code. This code is then used along with TheBrokerCompany’s client secret (password) in a webservice call directly from TheBrokerCompany to DataVaultCompany.
DataVaultCompany then exchanges the authorization code with a bearer token with a specified duration – while this token is valid, TheBrokerCompany can use it in an HTTP Authorization header when making webservice calls to TheDataVaultCompany on behalf of the user, and they will get access to the data that the user allowed.
...
Since implicit grant is used, the access token is in the URL fragment so it will not be sent to the server, but it is accessible to a javascript application running within the users user's browser. This application can then use the token to make requests to services with the HTTP header “Authorization: Bearer OWVlY2YxNWMtNjAwYi00N2FlLTliMGYtMTdhN2E1NDlmNmVm” – assuming the URL for the service call matches a configured oauthrule, the server can then return this information.
...