What is OAuth 2.0 ?

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.

First of all, let me give you a small example. There is a new app that you have just downloaded from the app store. The app requires you to register first. This process is usually cumbersome for a lot of people since the user has to set a username and a password. But in the app, there is an option to register via Google. It means if you have an account on gmail, you don’t need to give your details explicitly to register, you will be implicitly registered to the app through gmail credentials. The user will click on the icon and will be redirected to the google page where it will ask to enter the google credentials. After this is done, the user will be redirected back to the Callback URL about which we will get to know later.

In the above process, Google is allowing the app to hit Google’s http endpoint which will give some details needed by the app. Here, the app is the third party application. Now, it’s not like Google allows every third party application to use it’s resources, there is some procedure and it is called authorization of the third party. It means the third party application will need the authorization to use the Google resource.

At first the third party application has to register with Google by providing it’s name, website and callback URL. Then Google will give client id and client secret which will be required at the time of resource request. The callback URL is required so as to be redirected to after the resource request is granted.

There are four terminologies which we should know :

1. Resource Owner — an entity capable of granting access to a protected resource.
2. Resource Server — The server accepting and responding to protected resource requests using access tokens.
3. Authorization server — The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
4. Client — An application making the requests of the the protected resource from the resource owner.

The client first requests authorization from resource owner. Resource owner provides the Authorization Grant back to the client. This authorization grant consists of authorization type. The client now requests from authorization server by giving the authorization grant. The authorization server validates the grant and then gives the access token to the client. The client then provides the access token to the resource server. The resource server validates the access token and gives the protected resource to the client.

There will be a part II of this blog in which we will go in more depth.

Reference Reading : https://tools.ietf.org/html/rfc6749