What is OAuth 2.0
This medium will give a basic introduction to OAuth2.0. Before familiarizing with OAuth2.0 we need to have an understanding of the below two terminologies.
Authentication
Authentication is the process of verifying the identity of an entity. Therefore, user authentication means verifying the identity of an user. Knowledge factor, possession factor and inherence factor are three main factors used for authentication. User authentication is a broad topic. If you need to read more in the user authentication please refer to the article below.
Eg:
You are working as an employee in Organization ABC. ABC organization has a system to maintain all the employee data such as employee profiles, employee leaves etc. When a new employee is joining to the organization a new account is created in the system and the credentials are shared with the employee.
To access that system each employee has to provide his/her username and password. Once successfully authenticated the employee is capable of accessing the data. In this example the user identity is verified using the username and password that the user enters.
Authorization
Authorization is the process of providing someone permissions to access a resource. In secure systems usually authorization always follows authentication. Users must first prove their identity before providing the necessary permissions to access the resource.
Eg:
Consider the same example which we discussed in the Authentication section above. In the ABC organization each employee works for a certain department (Eg: HR, Engineering etc).
An employee who works in HR department can access the data of other employees where as an employee from the Engineering department can only access his/her data only. This is controlled by the permissions assigned for the users.
OAuth 2.0 is a standard protocol for Authorization. It is designed for a application or a web-site to gain access to resources hosted by some other application or a web-site on behalf of a user. OAuth 2.0 specification can be found here.
For example an user maintains his photos in a photo hosting application. For the user to access his photos hosted in photo hosting application he needs to provide his user credentials. There is a third party application which can be used for photo editing.
In the traditional approach if the user needs to edit his photos using the photo editing application, the user has to share his credentials with the photo editing application. Then the photo editing application can use those credentials to access the photos of the user hosted in the photo hosting application. Below diagram illustrates the above described flow.
Above approach has many security concerns because once the user share his credentials with that third party application, the user doesn’t have control over the actions carry out by the third party application.
OAuth introduces an authorization layer to address the above described limitations. We can use the same previous example to analyze how OAuth 2.0 resolves the limitations in the traditional approach.
The photo editing application requests for an access token (access token is a string indicating a lifetime, a specific scope and some other access related attributes. This access token is issued by the server which does the user authentication and upon the approval of the user the server issues the token. In our example the user authentication and authorization is done by the photo hosting application. Therefore, the access token is issued by the photo hosting application.). Then the photo editing application uses this access token to request the photos from photo hosting application. Below diagram illustrates the above described flow.
OAuth 2.0 Roles
OAuth 2.0 uses four roles in the specification.
- Resource Owner
The entity which owns the resources in the resource server. In our example user acts as the resource owner. - Resource Server
The server which hosts the protected resources. In our example the photo hosting application acts as the resource server. - Client
The application which requests access to the protected resource on behalf of the resource owner. In our example the photo editing application acts as the client. - Authorization Server
The server which issues access tokens to the client after authenticating the resource owner and obtaining the necessary authorization. In our example the Authentication and Authorization component of the Photo hosting application acts as the Authorization server.
Auth 2.0 uses above roles to describe the various interactions
OAuth 2.0 Grant Types
Grant type is a set of credentials which represents the authorization provided by the resource owner. These grant types describes how to obtain the authorization to the protected resources in different ways. The best suited grant type has to be used depending on the client application type.
OAuth 2 specification defines four main grant types. I’ll discuss each of those grant types in separate mediums in detail. In those mediums I’ll be sharing on how to try out the respective grant types. For trying out the grant types I will be using Asgardeo, the Identity as a Service(IDaaS) provided by WSO2.
- Authorization Code
- Implicit
- Resource Owner Password Credentials
- Client Credentials
Hope you got a basic understanding of OAuth 2.0. Thank you for reading this medium.
