OAuth 2.0
What is OAuth2
Basically OAuth2 is a authorization mechanism. It is a industry-standard protocol for authorization. The well defined definition is to describe OAuth2 is
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP
before going into deep, let’s look what is the authorization and authentication and the difference between them.
Authentication vs Authorization
Authentication is the mechanism to verify who you are and your identity. Basically it is doing using a username and password that are known only by you. So you are validated for a service among others.
Authorization is a mechanism to verify what are the services that you can access among all services. may be you are restricted to access some services while other services can access. So it verifies what services can be accessed by a particular user.
OAuth 2 framework is belong to authorization workflow of a web application or API. It authorize a service to access the permitted resources from from another service.
Roles of OAuth 2
There are three roles involving for OAuth 2 workflow
User
User is the person that need to access services from Application. this is the role that need to give permission to application for access API and authorize this role.
Application
Application is the one that get permission to access API and from user and access API to authorize the user and also access resources from API that related to particular user. Also this application role get permission from user what resources that can be accessed by API.
API
This role has two parts, they are authorization server and resource server. what this role does is, it receives the request from application with user permitted scopes and then authorize user whether valid user or not. If valid the authorization server send a token that can be used to access resources from resource server to the application. When application wants to access some resources of user from resource server, that resource server validate the token and then give permitted resources to application
Workflow of OAuth 2.0
Now lets look at how about the workflow of this OAuth 2. I will describe according to steps of above image
1. Authorization Request
In this step the application send permission request to authorization server asking to authorize the user and then authorize server send a permission request to user whether user allow the application to access his list of resources from resource server. if user allow that this goes to further steps otherwise fail. the permission request that send by authorization server looks like follows (this is a example of google authorization server)
The application should send the grant_type and client_id parameters to indicate this client id has registered with authorization server and what authorize mechanism should support, in this case we use grant_type=authorization_code (There are more grant types for OAuth 2.0 but I am using authorization_code grant type for this article)
In this step the resources that the application is requesting access will be shown to user, and user can press allow if your agree to that. Then this proceed to next step
2. Authorization Grant
after user hit allow button the authorization server check whether application has registered or not, if registered then the authorize server ask to log in to authenticate the user. then user have to give credentials and log. Remember that this users credentials will never share to application by authorization server.
After user enter credentials successfully and logged in then this authorization server send a “Authorization grant code” to the application indicating the user has authorized. then this proceed to next step.
3. Authorization Grant
After application got the “Authorization grant code” that means user has given authorization to access the resources from resource server. but application cannot access resources from resource server without a valid token. this happen to avoid accessing resources from resource server other application except the application that authorized by user.
So in this step application send a request to authorization server with the “Authorization grant code” that was given in earlier step to get a valid token from authorization server.
4. Access Token
If “Authorization grant code” which was sent by the application in previous step is valid the authorization server return a access token with refresh token to the application. Now on the application can access allowed resources from resource server. the response is looks like follows
5. Access Token
Now application has the access token to access resources. usually it is a bearer token. Bearer token is a long string and it stores details like valid time of this token and valid scopes that application access and etc. In this step application request resources from resource server using this bearer token. this token will be sent in HTTP “Authorization” header like follows
6. Protected Resource
When application send the request the bearer token will be validated by resources server. if token is valid and not expired then server will look whether application is requesting allowed resource or not. it allowed resource server will send back the resource otherwise fail.
Advantages of OAuth 2.0
- OAuth 2 protocol gives ability to access resources without sharing any user credentials. so on security perspective it is a more secure way.
- It gives ability to access allowed resources of users only, not all the information of user. so on privacy perspective it is a plus point
- It uses SSL(Secure Socket Layer) to save user access tokens with ensuring cryptographic protocols to keep data safe.
- This improves the user experience of the application.
Summary
So in this article we learned about
- what is OAuth 2.0
- What are Authorization and Authentication
- What are role of OAuth 2.0
- What is the workflow of OAuth 2.0
- What are advantages of using OAuth 2.0
So I hope you gained a good knowledge about OAuth 2.0 protocol. In this article I didn’t discuss how to make a application using OAuth 2.0 and I hope to do a article about that in future. There are more complex concepts of OAuth 2.0, I discussed some simple stuff here. So I will drop some resources that you can read more about this OAuth 2.0 protocol if you need to go in depth of this OAuth 2.0
