What is OAuth 2?
Oauth 2 represents open authorization. Oauth is mainly designed to access a website or application resources on other external applications or websites. This functionality is provided by other applications such as Facebook, Github, Google, etc.
1. History of OAuth
It was created by Twitter, Google, Facebook and it was released as an open-source in 2010 and then it was quickly accepted by many applications and websites. Two years later, Oauth 1 was replaced by Oauth 2 in 2012 and received some additional features. Oauth2 provides authentication flow for web applications and desktop applications and also supports mobile applications. Oauth1.0 is used by some restricted companies such as Twitter, Google, and other companies, and these days the OAuth service is offered by many other companies such as Amazon, Facebook, Instagram, Linked In, Microsoft, Netflix, PayPal. This type of access requires tokens representing the right of access transferred.
2. Principles of Oauth 2.0
- Oauth is an authorization protocol, not a verification process. The main motto is to provide access to a set of resources to other applications, for example, a remote control API or user data.
- The main component of Oauth 2.0 uses the Access Token. Access Token is a small part of data that represents authorization for accessing resources to the other end-user. This token includes additional variations such as a security token and Access Token may have an expiration date.
3. OAuth roles
OAuth defines four roles:
- App Owner: The device owner is who authorized the application to access his account on another device and also the app owner gives permission to access to other users to write and read.
- Client: A client is a program that wants to access a user account. To access resources, clients must have the appropriate Access tokens.
- Authorization server: This server has received requests from the Access Token client. The authorization server displays two conclusions: the first authorized point containing the validated consent and user consent and the second is the token storage area involved in the machine-to-machine interaction.
- Utility: Utility is a resource server that protects the user’s service as well as receives access requests from the client. Receives and verifies access token from the client and returns the specifically requested resources to it.
4. Access Tokens
- Access tokens are used by applications to make API requests in the interests of the user. The access token described the authorization for a specific application to access some parts of the user’s data.
- The access token can only be used through an HTTPS connection as transferring it over a non-encrypted channel so third-party applications can easily access it.
- Access tokens should be kept confidential on the go and in storage. The only groups that should see the app’s own access token, authorization server, and resource server
Access tokens should be kept confidential on the go and in storage. The only groups that should see the app’s own access token, authorization server, and resource server
5. Authorization code
- The authorization code is a simple one temporary code. That authorization code used by the client for the exchange access token. The code is located on the authorization server itself. At that time the user can get information about what the client is requesting, and approves or rejects the request.
- When the user has authorized access to the app, they are redirected back to the app with a temporary code at the URL. An app swaps that code with an access token. At that time an application requests an access token, that request is verified by the client’s privacy and policy, which reduces the risk of the attack. This means that the access token will never be seen by the user, so it is the safest way to transfer the token to the application and also reduce the risk of accessing the token to someone else.
6. How does OAuth work?
This is a common scenario for how OAuth works; can be changed depending on the type of permit.
- An application is requesting authorization to access resources for the user.
- If the user approves the request to access some components, the application receives an authorization grant.
- An application requests an access token from an authorization server (API) by introducing its authentication and authorization grant.
- Once the application ID has been verified and the authorization grant is active, the authorization server (API) issues the application access token. Authorization completed.
- An application requests an application from a resource server (API) and presents a token authentication token.
- When the access token is active, the resource server (API) runs the application in the application.
7. Type of Authorization Grant
There are mainly four steps that cover the acquisition of a permit and an access token. The type of authorization depends on which method type used by the application, and also the types of grant supported by the API.
Here some of the types of grant are listed
- Authorization code grant: authorization server returns authorization code for one client to exchange access tokens.
- Explicit allowance: in this one type of grant flag that the authorized server automatically returns the access token as a parameter to the redirect URL.
- Authorization code with code of proof of exchange: In this case the authorization of the grant is similar to the issuance of the authorization code but also provides additional security measures to protect your account.
- Customer Verification: This type of customer information grant gives the app access to its service account.
- Device Code: Device code type provides access to devices that do not have a browser or have limited input to get access to and access user accounts.