OAuth 2.0 basics

In this article we will go through the basics of OAuth 2.0 with the help of Q&A technique. The Q&A is my favorite to learn new concept as it feels more interactive and helps to remember. So let’s get started and I hope you also find this helpful -

What is OAuth 2.0 ?

OAuth 2.0 stands for Open Authorization and it is an industry standard for authorization. OAuth enables clients ( third party applications ) to have scoped access to protected resource on resource owner’s behalf without knowing or storing resource owner’s (end-user’s) credentials.

( Term “client” and “third party application” are used as synonyms in this article)

Why can’t we use traditional client server authorization model ?

In the traditional client server authorization model, to access a protected resource, the client needs to know / store the resource owner’s credentials to successfully authenticate on the server and for this resource owner has to share credentials with the client.

Traditional client server authorization model

This has many limitations and some of the major ones are

• As client stores resource owner’s credentials, any security loophole in the client application will result in compromise of resource owner’s password.
• Client application gains more than required access to resource owner’s protected resources and resource owner does not have any ability to restrict the scope and duration of access.

Okay, but how OAuth 2.0 addresses these limitations ?

OAuth 2.0 addresses these limitations by adding an authorization server.

With OAuth 2.0, to access the protected resource, the client obtains a different set of credentials (access token) from the authorization server with the approval of the resource owner.

Access tokens represent the scope and duration of the access, granted by the resource owner.

Can you please explain OAuth 2.0 flow in more detail?

Sure, let’s take a look at the authorization code grant type flow.

Authorization code grant type — OAuth 2.0 flow

1. Client requests authorization from Resource owner. This request is usually done via the authorization server as an intermediary.(e.g. Client direct the resource owner to authorization end point of authorization server for authentication and to get the consent).
2. Client receives authorization grant. Authorization grant represents resource owner’s authorization to access the protected resource. It is used by the client to obtain the access token .
3. Client requests an access token by passing the authorization grant receieved in the previous step and by authenticating itself with authorization server.
4. Authorization server validates client credentials (e.g. client id, client secret etc. ), authorization grant and issues an access token (and optional refresh token)
5. Client requests protected source from resource server by passing the access token.
6. Resource server validates the access token and returns the protected resource.

Can you please explain bit more on the client authentication with authorization server part ?

As a prerequisite to OAuth 2.0, client registers itself with the authorization server. There are different ways of client registration and the most common one is to use web based registration form. Registration is a means for establishing trust with the Authorization server and to obtain client properties (client identifier, client secret etc.). Typically during registration client provides -

• Client Type
• Client’s redirection URI

Client types

• Confidential — Capable of securely storing their credentials e.g. web applications hosted on a secure server
• Public — Not capable of securely storing their credentials. e.g. native device / desktop based applications and user-agent based application (where code executes in the user-agent( e.g. browser))

What is authorization grant ?

Authorization grant represents resource owner’s authorization to access the protected resource and it is used by the client to obtain the access token

In core OAuth 2.0 specification, there are 4 grant types -

Implicit grant flow

Implicit grant flow

Resource owner password credential

Resource owner password credentials grant type flow

Client credentials grant type

Client credentials grant type flow

What is Access Token ?

Access tokens are credentials used to access the protected resource. They represent specific scopes and duration of the access, granted by the resource owner and, enforced by the resource server and authorization server.

What is Refresh token ?

When the access token expires or becomes invalid, clients can use refresh token to obtain new access token from authorization server. Refresh tokens are never sent to resource server and are only for authorization server.

What are different endpoints involved in OAuth 2.0 ?

Authorization server exposes 2 endpoints -

• Authorization — This end point handles all the user interactions, typically via browser. It is used to authorize the resource owner on authorization server.
• Token — This end point is used to get the access token and is only meant for machines. It is invoked via a secure API call away from the browser.

Can you show sample request and response for these endpoints ( Authorization and Token)

Authorization request

Authorization request

• response_type — value of this query param is used to identify which grant type the authorization flow is going to use. “code” is used for authorization code grant type flow.
• client_id — unique identifier for the client application
• redirect_uri — This is the end point where authorization server will redirect the resource owner ( after resource owner has successfully authorized and has given his/her consent). This redirect URI must already be registered with the authorization server.
• scope — This is used to define the scope of access. It can have space delimited values. The values are defined by authorization server. If not present in the url then authorization server may process the request using default scope or can fail the request.
• state — This query parameter is recommended for preventing cross-site request forgery. It’s an optional parameter but if present in the request, authorization response should also have it with the exact same value.

Authorization Response

After the resource owner authenticates and consents for what the client has requested (scope), authorization server will redirect the resource owner to the redirect_uri ( which was part of authorization request) and redirect_uri will have authorization code value in the query param ( code )

Authorization response

Token Request

In token POST request, we pass grant type (authorization_code in this example), actual authorization code value ( received in authorization response), redirect_uri, client_id and client_secret.

Sample token request

Token Response

Access token and token type is returned in token response which is then used in authorization header to access the protected resource.

Token response

response_type and grant_type values for authorization and token request for different authorization grant types.

response_type and grant_type param values for different grant types

Summary

In this article we discussed about, what is OAuth 2.0 and how it addresses limitations of traditional authorization model. We then looked at various grant types, when to use each one of them and their high level flow. We also discussed about different client types. At the end of the article we looked at sample authorization and token request / response.

Conclusion

We have covered the basics of OAuth 2.0 specification and If you are interested to dig deep on some of the concepts we discussed in this article, I’ll highly recommend giving a read to original OAuth 2.0 specification RFC 6749.