OAuth 2.0- An Overview and Simple Guide to build an Sample Application

OAuth 2.0 … What is it ?

In simple words OAuth 2.0(Open Authentication 2.0) is considered as the business standard convention for the authorization. Also, it empowers applications to acquire restricted access to client accounts on a HTTP administration. It permits sharing of assets put away on one site (such as Facebook, Linkedin, Youtube) to another site without utilizing their accreditation. Tokens are used instead of actual usernames and passwords of the users. Numerous web applications and administrations adjusting to OAuth 2.0, because of the flexibility and it provides a stronger authentication to the application.

Let’s take a look at the difference between ‘Authentication’ and ‘Authorization’.

Source : https://www.ssl2buy.com/wiki/wp-content/uploads/2019/04/authentication-vs-authorization.jpg

Authentication checks the client and ensures the identity of the client whether client is verified with the system. Authorization is the point at which the application authenticates and deciding what activities that individual is permitted to perform or not.

Architecture of the OAuth 2.0

Figure : Architecture

Finally, ultimate goal of OAuth 2 is to obtain the access_token and provide it to access ensured assets.

Why Use OAuth 2.0?

01. It does not interact with client credentials of the services.

02. Ability to peruse information of a client from another application.

03. It is useful when it comes to authentication perspectives and easier to implement considering other technologies.

04. It supplies the work flows for platforms such as mobile applications, web applications and desktop applications.

05.It protects cryptography protocols to ensure the security.

OAuth 2.0 has introduced four different types of grant types and four major roles.

OAuth 2.0 Grant Types

1. Authorization Code Grant
2. Implicit Grant
3. Resource Owner Password Credential Grant
4. Client Credential Grant

Authorization Code Grant — Commonly used by clients to interchange an authorization code for an access token in server-side web applications.

Implicit Grant — The access token is returned without an extra authorization code. Mostly used in mobile and single page applications.

Password Credentials Grant — Client application will create the credentials and request an Access Token. In order to do that user will give credentials to the client application.

Client Credential Grant — The customer application sends its credentials so as to acquire an access token.

OAuth 2.0 Roles

1. Resource Owner
2. Client Application
3. Authorization Server
4. Resource Server

Resource Owner — Client who approves an application to get to their account with a specific scope.

Client Application — User’s application that accesses the user’s account which is authorized.

Authorization Server — Generates access tokens after the user is verified.

Resource Server — It contains the secured user resources and the client will reach resource server to retrieve those resources.

Flow of the OAuth 2.0 Protocol

Figure : OAuth 2.0 Protocol Flow

Let’s see how to implement a sample application to allow users to browse and upload files to their Google Drive using OAuth 2.0 Authorization Grant flow.

Stage I — Create a project

01. Go to https://console.developers.google.com/ using the Gmail account.

Figure : Developers Console

02. Select ‘Select a project’.

Figure : Select a project

03. Select ‘New Project’.

Figure : New Project

04. Fill the application name and press ‘Create’.

Figure : Creating Application

06. Created Project is displayed in the dashboard.

Figure : Created Project

Stage II — Generate credentials and download the JSON

01. Click ‘ENABLE APIS AND SERVICES’.

Figure : Enable APIs and Services

02. Search for Google Drive API.

Figure : Google Drive API

03. Select it and Enable it.

04. Click the Create Credentials button.

Figure : Create credentials

05. Fill the details of the application.

Figure : Details of the application.

06. Set up OAuth consent screen.

Figure : Consent Screen

07. Click ‘Create Credentials’.

Figure : Create Credentials

08. Select OAuth client ID.

Figure : OAuth client ID

09. Select ‘Other’ and fill the name of the application.

Figure : Name of the application

10. Client ID and the client secret is generated. Download it to the PC.

Figure : Client ID and Client Secret

Stage III — Implement the Client Application.

Authorization Grant Message Flow

Figure : Authorization Grant Message Flow

01. Client application sends an authorization request to the Authorization Server.

02. Authorization Server requests the user for granting the access to the client application.

03. User grants the consent.

04. When the user allows the grant, Authorization Server sends the Authorization Code Grant to the Client Application.

05. After Client Application receives the Authorization Code Grant, it sends an Access Token Request to the Authorization Server.

06. Authorization Server sends the Access Token to the Client Application.

07. Client application sends a GET request with the access token to the Resource Server.

08. Resource Server sends the requested resource to the Client Application.

This is a simple spring boot file uploading application implemented to store files to the Google drive as the Client Application.

Stage IV — Run the Client Application.

01. Click the Login button to choose the Gmail account which will be used to upload files to Google Drive.

Figure : Homepage

02. Choose the Gmail Account of the Google Drive.

Figure : Gmail Account

03. Allow the permission to view, edit, create and delete the Google Drive Files.

Figure : Allowing the permission

04. Confirm the permission grant.

Figure : Permission Confirmation

05. Click on the ‘Choose Files’ button to browse the files that needed to uploaded to Google Drive and Click the ‘Upload Files to Drive’ button.

Figure : Application Page

06. Once uploaded , refresh the Google Drive.

Please find the completed source code here.