401
(which means that authentication is required) and adds a special header to the response, named WWW-Authenticate
, with a special value of Basic
.bb14292d91c6d0920a5536bb41f3a50f66351b7b9d94c804dfce8a96ca1051f2
every time.client_id
This tells the OAuth2 provider what your app is. You’ll need to register your app ahead of time to get a client ID.redirect_uri
This tells the provider where you want to go when you’re done. For a website, this could be back to the main page; a native app could go to a page that closes the web view.response_type
This tells the provider what you want back. Normally, this value is either token
, to indicate that you want an access token, or code
, to indicate that you want an access code. Providers may also extend this value to provide other types of data.scope
This tells the provider what your app wants to access. This is how Google knows that Quora is asking for access to manage your contacts. Each provider has a different set of scopes.if
statements. Each interprets the specification differently, and there are little dissimilar details for each one. They also always have different ideas on what scopes to provide. Using a library to integrate with OAuth2 helps a lot with this problem, but it will never be 100% transparent in your app’s code.