I am about to transition my application, PoQStacker, from OAuth1 to OAuth2.
I am trying to interpret the OAuth2 documentation:-
Access token usage
The authorization endpoint can return two types of access tokens. The authentication process is different for each of them.
Bearer tokens
Bearer tokens are the default type of access tokens. They are very easy to use, consist only of one component, which you should treat as a password. For this reason, it is only possible to use them over HTTPS. If you try to send them over plain HTTP, they will be ignored.
The preferred method to use bearer tokens is via the Authorization header. An authenticated request would look like the following:
GET /oauth2/userinfo HTTP/1.1
Host: musicbrainz.org
Authorization: Bearer jr5xkCAg4hGcls9FXMVIuQ
If i interpret this correctly, with OAuth2, I can only access the user’s data as a whole collection (/oauth2/userinfo).
Then if I wanted to modify any element of the user’s data, I GET the whole collection, modify the element(s), and POST the whole collection.
oAuth2 has nothing to do with how data gets manipulated. It is only about how you authenticate requests, and that’s what this documentation is about.
If and how an endpoint allows you to manipulate data depends on its implementation. In case of /oauth2/userinfo I don’t think it can be used to update data, AFAIK this is just an endpoint to query information about the user.
That is the way I initailly assumed it was going to work. However, the way the example is written was putting some doubt in that assumption.
I have written some test code and I can see how that works now.
For those who are embarking on this journey, just be aware that the “application/x-www-form-urlencoded” ONLY applies to the “redirect_uri” address portion of the TOKEN request. Also, in my case I didn’t include any linebreaks between the elements. nor did I include a termination sequence for the Body, however, I did include the ContentLength in the Header.