I recently had the oppurtunity to work on OAuth for an application and thought I would document some of the basics around this.
What is OAuth?
OAuth (Open Authorization) is an open norm for access designation, regularly utilized as a path for Internet clients to give sites or applications access to their data on different sites however without giving them the passwords. For the most part, OAuth gives customers a “secured delegated access” to server resources on behalf of a resource owner. It provides a process for resource owners to authorize third party access to the server resources without providing credentials.
How it works?
OAuth allows an access token to be issued to third party clients by an authorized server with the approval from resource owner. Third party can then use this access token to access the protected resources hosted in server.
Resource / Protected Resource: Target data that need to be accessed
Resource Owner: An entity capable of granting access to a protected resource
Client: Application that request the authorization to do an action on behalf of the Resource Owner.
Authorization Server: This is either part of Resource Owner or can be hosted as an independent server. This server generate and share the auth token after authenticating the owner’s identity.
Resource Server: This is API server, handles authenticated requests after client has received access token
How they interact?
- Resource Owner authorizes an application to access the Resource Server.
- Application requests a token from the Authorization Server using the Resource Owner approval or authorization.
- When the Authorization Server validates the approval, it issues an access token to the application.
- Using that token, the application can access the Resource Server.
Few More Terminologies
Tokens contain information called claims. For example, an ID Token will consist of some claims with information about the user, maybe their first and last name, e-mail or address. They can also carry information about the client or the token itself, like who issued the token or what is its intended audience
Scopes provide a logical grouping of claims and these limit the client access to Resource Server or API features. When the Resource Owner approves the authorization, he needs to define the scopes granted to the client.
Client ID / Client secret:
Client ID is a public string to identify an application and build the authorization URL. Client Secret authenticates the application before the Authorization Server upon application access request.
Assume you want to “Sign In” or “Login” on a website e.g. https://seekingalpha.com when you choose Sign In option, you will be provided with a popup window, allowing you to Login using your Google Account or Apple Account.
Clicking on “Sign in with Google” will take you to Google Sign In page and you can provide your gmail credentials to login. You can see the note from Google will share your name, email address, language preference, and profile picture with Seeking Alpha, those are the protected resources that Seeking Alpha would like to access and requesting Google to share them.
Seeking Alpha doesn’t know your Google account detail, but rather a “token” is issued by Google which the client will use to access the protected resources.
|Protected Resource||Your Name, Email Address, Language Preferences, and Profile Picture|
|Resource Owner||Your Email Account|
|Authorization Server||Google Email Service|
OAuth doesn’t store credentials but limited access to the defined action.
In addition to granting access, this framework also allow revoking individual access to resources without changing the resource password.
OAuth is a great solution to manage accesses and permissions and to integrate different applications. It provides an authorization framework for web and desktop applications and mobile devices.
By implementing OAuth, users can avoid sharing user credentials and can share limited access to resources. They can also revoke access for specific users easily. Avoiding credentials exchange represents a substantial security improvement.
Hope this post is useful and provide some basic info on OAuth, please share and comment if you see any issue