OAuth 101

OAuth, which stands for "Open Authorization," is an open-standard authorization protocol or framework that enables secure authorization of third-party applications or services to access a user's resources without exposing the user's credentials. It is commonly used as a method for users to grant websites or applications access to their information stored on other websites without revealing their passwords.

The OAuth protocol allows users to grant third-party applications limited access to their resources, such as profile data, photos, videos, and other information, hosted on a particular service provider (like Facebook, Google, Twitter, etc.). This access is granted through the issuance of access tokens, which the third-party application can use to access the user's resources on their behalf.

OAuth operates over HTTPS and relies on token-based authentication rather than the sharing of credentials (such as usernames and passwords), which enhances security by reducing the risk of exposing sensitive information. It also allows users to grant or revoke access to their resources at any time, providing greater control over their data.

Examples :

1. Social Media Login: Users can log in to websites or apps using their existing accounts on platforms like Facebook, Google, or Twitter. OAuth allows these platforms to issue access tokens to the website or app, granting limited access to user information for authentication purposes.
2. Cloud Storage Integration: Third-party apps can access cloud storage services like Google Drive with OAuth. Users authorize the app to access their storage, and the service issues an access token, enabling the app to interact with the user's files securely.
3. Payment Processing: E-commerce websites integrate with payment services like PayPal using OAuth. Users authorize transactions on the payment service's platform, and OAuth facilitates secure communication between the website and the payment service, ensuring the transaction is authorized.
4. Health Data Access: Health-tracking apps integrate with fitness device APIs (like Fitbit) using OAuth. Users grant permission for the app to access their fitness data, and OAuth enables secure data exchange between the app and the fitness device's servers.

OAuth 2.0 :

OAuth 2.0 is the current standard for authorization, but some websites still utilize the legacy version 1a. OAuth 2.0 was not a direct evolution from OAuth 1.0; instead, it was developed from scratch. Consequently, the two versions are quite distinct from each other. It's important to note that when the term "OAuth" is used, it exclusively refers to OAuth 2.0 in these contexts.

How OAuth 2.0 Works ?

OAuth 2.0 was originally developed as a way of sharing access to specific data between applications. It operates through a defined set of interactions involving three key parties: the client application, the resource owner, and the OAuth service provider.

• Client Application: This refers to the website or web application seeking access to the user's data.

• Resource Owner: This is the user whose data the client application aims to access.

• OAuth Service Provider: This entity controls the user's data and governs access to it. It supports OAuth by offering an API for communication with both an authorization server and a resource server.

  • Authorization Server: Authenticates the resource owner and issues access tokens to client applications upon successful authentication and authorization. In our example, Facebook serves this role.
  • Resource Server: Handles authenticated requests once the client application has obtained an access token on behalf of the resource owner. In our scenario, Facebook also functions as the Resource Server.

  

OAuth implementations can vary significantly based on the specific requirements and use cases. These variations are referred to as OAuth "flows" or "grant types.”

What is OAuth grant types “OAuth Flows” ?

An OAuth grant type dictates the specific sequence of actions within the OAuth process. It defines how a client application interacts with the OAuth service at each stage, including the transmission method for the access token. Grant types are often termed "OAuth flows".

Before a client application can start an OAuth flow, the OAuth service must be configured to support a particular grant type. In the initial authorization request send to the OAuth service, the client application specifies the chosen grant type.

OAuth grant types “OAuth Flows”

There are several different grant types, each with varying levels of complexity and security considerations. "authorization code" and "implicit" grant types stand out as the most commonly used in OAuth protocols.

OAuth Scope

In any OAuth grant type, the client application must specify the data it intends to access and the operations it seeks to perform. It accomplishes this through the "scope" parameter in the authorization request sent to the OAuth service.