What is OAuth really all about — Terminologies and Flow

Photo by iMattSmart on Unsplash

This article is based on the video tutorial on OAuth by Java Brains

What is OAuth for

OAuth is used for Authorization and not Authentication. Authentication is the process of verifying who a user is, while Authorization is the process of verifying what they have access to. It allows authorization not only between users and services but also between services

For example, a Photo Printing App may require access to Google Photos of the user. Instead of requiring the entire access to the Google Photos credentials to gain access, the goal is to provide access to just a subset of services

OAuth is a standard for allowing services trying to access each other on behalf of the user

Valet Key Example

The car owner hands the car keys to the valet. The valet parks the car. To prevent theft, some cars come with a valet key which has reduced access.The valet service needs access to the car service, only a required subset of services are provided by the user through the valet key. This represents delegated access

OAuth flow

In the Photo Printing example, we have two services and a user. Each service trusts the user but not each other.

Flow involved in OAuth

In our example, the pictures on Google drive is the Resource which is stored securely on the Resource Server (Google Photos). The Resource Owner is the actual owner of the photos. Further, the Client is the entity which is requesting access to the Resource on behalf of the Resource Owner.

The burden of security is on the Resource Server, i.e. Google Photos itself. Thus, Google provides a separate but coupled Authorization Server. The AuthServer issues the Access Tokens used for validation

OAuth Flow 1: Authorization Code Flow

1. The Resource Owner requests a service from the Client, in our case, printing the photos
2. The Client contacts the AuthServer to request the Resource, i.e. photos on Google’s servers.
3. The AuthServer sends a prompt to the Resource Owner inquiring about the request it received from the Client
4. On confirmation from Resource Owner, the AuthServer sends the client an Authorization Token
5. The Client uses the Authorization token to get an Access Token from the AuthServer
6. The Client contacts the Resource Server and provides Access Token
7. The Resource Server provides the Resource to the Client

OAuth Flow 2: Implicit Flow

Starts off the same way as Flow 1 up to Step 3. From there, instead of exchanging the Authorization key, the AuthServer directly provides the Client with the AccessToken

The drawback of Implicit Flow is that the access token may be used by unauthorized parties. The first flow is more secure as the mechanism of Access Token exchange can be secured using the Authorization Token.

The implicit flow is better suited for short-lived access token used with JavaScript applications