A complete guide to Oauth2 authentication
When we visit most of the sites these days, we have seen a screen that says log in with Facebook, Twitter, GitHub, Google, and many more. It is a fairly common thing on the internet. What this does is take your current account information from one of these providers and use it to signup. This makes it a lot easier to signup as a user because we do not need to add our profile information such as our picture, name, or email. We all have used these as a user to sign up and also as a developer to integrate these services into our application.
The one thing that is common among all these service providers like facebook and google is that they use the same protocol, OAuth2 authentication and OpenID connect. Oauth2 authentication was designed to solve the delegation problem. OpenID is a protocol on top of Oauth2 for authentication.
The delegation problem
Let us take a scenario where you want to create a new account in skype. You join skype, but you do not have any contacts there yet. You used a Gmail account to signup for your account. You want to add all your contacts in Gmail who are in skype. In this scenario, skype will need to get access to your Gmail contacts and recommend you the contacts who are in skype.
The simple solution to this would be to provide Skype, your Gmail account password. Skype can access your account and recommend you the contacts.
There are a few problems with this approach:
How Oauth2 solves the delegation problem
Oauth2 authentication was designed as an industry pattern to solve the delegation problem. Oauth2 authentication provides a secure resource delegation between services.
Let us use the same Skype-Gmail example to explain the solution. There are four different roles:
The resource owner is the actual owner of the resource. In our example, the end-users login into the skype is the owner.
The server which wants to access data is called a client-server. In our case, Skype is a client-server.
The resource-server provides the resource the client wants to access. Here, the resource server is Gmail. The resource-server has details about the ‘contacts’ resource.
The authorization-server provides the client-server access to the resource on the resource server.
Let us look into how there 4 roles interact while granting resource access. Here, the Resource owner(we) wants to provide the Client(Skpye), access to the resource-server(Gmail contacts).
Different Oauth2 grants:
Oauth2 provides different grant flows for different use cases. Let us take a look into the details of each auth flow.
Code grant
Code grant flow is the most used auth flow for public clients to exchange the authorization code with a token. The resource owner wants to grant access to a resource to a client. In this case, the client redirects the user to the login server. Here the user is authenticated and redirected back to the client with an authorization code. This code can be used by the client to exchange it with a token.
Let us look at the Skype-Gmail example here as well:
The code should be invalidated to protect from repetitive token fetch.
The code should not be valid for a long duration and should expire after a few minutes.
While a client requests code a state parameter is generated in the client and send to the auth server. The auth server redirects the user to the redirect URL with the same state. This state is validated by the client to protect against XSRF.
There are two API calls needed for the steps above.
Get Authorization Code
URL: https://auth-server.com/auth
request params:
response_type=code
client_id=29352915982374239857
redirect_uri=https://client.com/redirect
scope=create+delete
state=xcoiv98y2kd22vusuye3kchWith the above request, code is returned in response to the provided redirect URL.
Exchange Code for a Token
URL: https://auth-server.com/token
request params:
code: nao1n3f
grant_type: authorization_code
client_id: 29352915982374239857
client_secret: uf1ie98f2kda2vu25uye3k1hThe response of the API will provide a token:
{
"access_token":"K1Z04lLdZ1S0pIMF09DI1FTZjJ1jmOO06",
"token_type":"bearer",
"expires_in":3600,
"refresh_token":"IzH6bFh6laf6gQ6TgA3sj19mfgA5egZx9a",
"scope":"create delete"
}The client can use the “ access_token” to access the resource.
Refresh token
The access token provided by any other grant flow has an expiration time. The client can use the refresh token as a grant to fetch the access token after the access token is expired.
A refresh token generally has a longer expiry duration. With the refresh token, the client can get the access token without reauthorization from the resource owner.
The client needs to provide refresh_token, client_id and client_secret while using this flow.
URL: https://auth-server.com/token
request params:
grant_type: refresh_token
client_id: 29352915982374239857
client_secret: uf1ie98f2kda2vu25uye3k1hThe response of API is the same as the access token.
Client Credential grant
This auth flow is used to grant the token outside the context of a user. The trusted client can use this to access resources that are not related to a user.
URL: https://auth-server.com/token
request params:
grant_type: client_credential
client_id: 29352915982374239857
client_secret: uf1ie98f2kda2vu25uye3k1hThe response of API is the same as the access token.
Besides, the above grants there are other auth grants available too:
- Implicit — Implicit grant flow provides the token directly without the code step. This grant flow is not recommended for security reasons.
- Password — This flow is used by the trusted first-party client only. In this flow, the username and password are directly provided to the client. The client can directly use it to access the token.
- Device Code
Oauth2 is a protocol that solves the deligation problem in a secure way. It is an industry-standard protocol. On top of the oauth2 is OpenID connect which helps in the authentication of a user. I will be writing about OpenID in my next blog.
More discussions on this can be found here https://news.ycombinator.com/item?id=20856443
Interested in learning Golang? Get started here: https://milapneupane.com.np/2019/07/06/learning-golang-from-zero-to-hero/
Originally published at https://milapneupane.com.np on September 2, 2019.