What is OAuth 2.0?????


“OAuth2.0" -This is the first word I heard when I began my day as intern in IS team at wso2. I have no idea about this jargon and I really thought this is something that we use for some really really techy thing that never cross the road of common man.but I was so wrong !! This the basic concept of all applications used in current days.

Since I am not a tech savvy or great reader/writer, I ll write this article in short and sweet series and try my best to avoid the jargons(if you don’t understand something, just use the life line “google” and continue reading,this not that hard- if I can then you can).In this article we will cover the basic terminologies and abstract view of overall concept.

Introduction

Oauth 2.0 is a framework(often confused as protocol)use to restrict credential/limited access for one application to gain resources from another application. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. eg limit your COC (clash of clans)game from getting all your Facebook information except your friend list. Oauth 2 provides authorization flows for web and desktop applications, and mobile devices.There are number of grants(methods) to perform this process between applications.

Before dive into Oauth2.0 when i say Oauth2.o you always get the question what about Oauth1.0?Oauth 2.0 is a replacement for Oauth 1.0, which was more complicated. Oauth 1.0 involved certificates etc. Oauth 2.0 is more simple. It requires no certificates at all, just SSL / TLS.

To understand Oauth2.0 we must know about the roles ,client types, grants/authorizations , endpoints in the concept. Importantly when you are familiar with overall concept you must know when to use each grant types and which will suit your context better.

Roles in Oauth2.0 :

1.Resource owner — the person or application that owns the data that is to be shared.(eg your the owner of your face book ,gmail accounts)

2.Resource Server — server who is hosting the resource( facebook is a server which host(contains) your accounts).

3.Client/client application — the application requesting access to the resources stored on the resource server.(your COC game is client who need access to your basic info and fb friends details)

4.Authorization Server — the server authorizing the client to access the resources of the resource owner. ( facebook it self act as authorization server)

Some times Authorization server and resource server can be same but it really up to the enterprise to decide.

Client types:

Based on the ability of the client application to maintain the confidentiality of their client credential ,clients can be divide in to 2 types

  1. Public clients — Clients incapable of maintaining the confidentiality of their credentials (e.g., clients executing on the device used by the
    resource owner, such as an installed native application or a web
    browser-based application), and incapable of secure client
    authentication via any other means ie cannot protect client ID and Client secret.
  2. Confidential Clients — Clients capable of maintaining the confidentiality of their credentials (e.g., client implemented on a secure server with
    restricted access to the client credentials), or capable of secure
    client authentication using other means ie can protect client ID and client secret.

When we register client application at authorization server the client application is assigned with a client ID and a client secret (password) by the authorization server. The client ID and secret is unique to the client application on that authorization server. If a client application registers with multiple authorization servers (e.g. both Facebook, Twitter and Google), each authorization server will issue its own unique client ID to the client application.

(there is another client type called Unregistered clients which is beyond the scope of Oathu2.0 specification. This needs more security analysis and review of its interoperability impact)

There is also 3 types of client profiles like:

  1. web applications
  2. user agent applications
  3. native applications

(4. hybrid applications)

We will cover more on these on upcoming articles.

Authorization/Grant

This the core feature which will differentiate one implementation from other in Oauth2.0. Basically there are 5 grant types like

  • Authorization code grant
  • Implicit grant
  • Resource owner credentials grant
  • Client credentials grant
  • Refresh token grant

Authorized code grant is based on authorization code to gain access to resource and implicit grant is very similar to it but differ in responses.

In resource owner credential authentication, user send his user name and password to the client and client uses those credential to gain access token from authentication server(need to provide user name and password).

Client credentials used when client need a access token from authentication server for the resources under it.Both of these(client credential and resource owner credential) don’t need authorization code and clients credential grant does’t need to login.

These grants will be elaborated more on upcoming articles. You should be very thorough with these grant types in order to use Oauth2.0

Abstract interaction flow

This the abstract view of how interaction flow through each entities.

  1. The application requests authorization to access service resources from the user
  2. If the user authorized the request, the application receives an authorization grant
  3. The application requests an access token from the authorization server (API) by presenting authentication of its own identity, and the authorization grant
  4. If the application identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application. Authorization is complete.
  5. The application requests the resource from the resource server (API) and presents the access token for authentication
  6. If the access token is valid, the resource server (API) serves the resource to the application

The actual flow of this process will differ depending on the authorization grant type in use

End points

Oauth 2.0 defines a set of endpoints. An endpoint is typically a URI on a web server. For instance, the address of a Java servlet, JSP page, PHP page ,etc.

OAuth2.0 endpoints

The authorization process utilizes two authorization server endpoints:
1. Authorization endpoint — used by the client to obtain
authorization from the resource owner via user-agent redirection.
2.Token endpoint — used by the client to exchange an authorization
grant for an access token, typically with client authentication.

As well as one client endpoint:
3. Redirection endpoint — used by the authorization server to return
responses containing authorization credentials to the client via
the resource owner user-agent.

Not every authorization grant type utilizes both endpoints.
Refresh grant types MAY define additional endpoints as needed.

Conclusion

This is just a basic interpretation of the concepts and terminologies specified in Oauth2.0. However this a pretty depth framework(but not hard to understand :))with it’s own complications.I ll try my best to explain these concepts in my words.This article consists of varies studies I did on this topic and this just a interpretation of Oauth2.0 in my understanding. It is always better to search about these in your own,it will help you to gain more knowledge and better understanding.

Tharmakulasingham Inthirakumaaran

Written by

Software Engineer, CSE Undergraduate and amateur writer.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade