Exam 350-901 topic 1 question 64 discussion

A can't be correct because a user is not granted an access token. It's issued to a client / app. B can't be correct because the credentials are validated by the authorization server. The resource server validates client's / app's access token. D can't be correct because a user doesn't request an access token. A client / app does. I would go with C because a user wants an authorization server to authorize the client /app. E could be correct because user requests a protected resource (which is accessed by a client / app) and he uses his original credentials which are not shared with the client / app. It uses the authorization code grant flow to get access.

I think the question is wrong and some "user" should be replaced with "client"

Oauth 2.0 eliminates the need for users to share their original credentials with the resource server.

The question is mixing up user and client. It is a poorly formed question. It is AC if A is reworded correctly with client.

ChatGPT says: Answers: A. The user is authenticated by the authorization server and granted an access token. and D. The user requests an access token by authentication and authorization grant presentation.

Two steps in the OAuth2 protocol flow are: C. The user indirectly requests authorization through the authorization server. D. The user requests an access token by authentication and authorization grant presentation. In OAuth2, the flow typically involves the following steps: The user indirectly requests authorization through the authorization server (step C). This involves the user granting permission to a client application to access their protected resources. The user then requests an access token by presenting authentication and authorization grant to the authorization server (step D). The authorization grant may include information like the user's identity and the client's identity, which the authorization server uses to issue an access token.

Description provide by johntermlen fully correct

The correct answers are C. The user indirectly requests authorization through the authorization server and A. The user is authenticated by the authorization server and granted an access token. The OAuth2 protocol flow is a process that allows users to grant third-party applications access to their protected resources. The flow consists of four steps: The user indirectly requests authorization through the authorization server. The user is authenticated by the authorization server and granted an access token. The user requests the protected resource from the resource server using the access token. The resource server validates the access token and grants access to the protected resource.

Just a reference, ChatGPT say the answer was A & C

i think the given answer AE is correct.

Just hoping that the wording is incorrect or has been corrected in the meanwhile, or that this question do not appear on the final exam...

A & D User here means the client app, not the resource owner. E is incorrect. Client uses access token to request resource from the resource server, not the original credentials.

A and E. https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2

All of them seem wrong. A The user (resource owner) doesn't request an Access token. B is incorrect as the original credentials are never sent to the resource server, only an access token. C The user is the one giving permission. E is wrong for the same reason. It is also wrong as the user isn't the one requesting the resource from the resource server. The client does. D is wrong as the user requests an auth token, not an access token. The access token is requested by the client using the auth token

Source: https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2 1. The application requests authorization to access service resources from the user 2. If the user authorized the request, the application receives an authorization grant 3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant 4. If the application identity is authenticated and the authorization grant is valid (option D), the authorization server (API) issues an access token to the application (option A). Authorization is complete. 5. The application requests the resource from the resource server (API) and presents the access token for authentication 6. If the access token is valid, the resource server (API) serves the resource to the application

A&E kind of looks like the best options, but E is actually a bit weird. Strictly speaking, I think the user requests the protected resource by interacting with the Auth server, and not the resource server. But not too sure... I'm not too big on OAuth.

For me the solution is A and C