What is OAuth 2.0 Authorization Framework

  • Owner can’t revoke access if required as the others who using the credentials may effect.
  • User will have full access to the data
  • Third party must store the password with them to access the resources in future.
  • User name password validation must be implemented on the server

OAuth

OAuth is a protocol that allows a user to grant a third party to access to a user’s protected resources without exposing credentials.

  • decoupling user with resources
  • limit access to the resources, may be not all the folders
  • Expire the token if required so client will not have access
  • Revoke the token if its hacked

HOW

Let’s see how the OAuth flow is happening with Quora.com login.

  • Resource Owner — User who wants to sign up using Quora, that’s me
  • Client Application — This will be Quora
  • Resource Server — This will be Gmail . Hosts the protected user accounts.
  • Authorization Server — verifies the identity of the user then issues access tokens to the application.

OAuth 2 Protocol Flow

  • The client requests authorization from the resource owner.
  • The client receives an authorization grant, to access resource server.
  • Client send the Athorization grant to authorization server to get a access token.
  • The authorization server authenticates the client and validates
    the authorization grant, and issues an access token.
  • The client presents the access token and requests for the protected resources.
  • The resource server validates the access token, and serves the request.

Grant Types in OAuth 2

The OAuth specification describes four grants for acquiring an access token:

  • Authorization code grant
  • Implicit grant
  • Resource owner credentials grant
  • Client credentials grant

OAuth 2 Authorization Code Grant

Authorization code grant type exchanges authorization code for a token. This can be used with regular webpages as the code is hosted on a server and isn’t publicly exposed.

  1. User clicks login button in the client application.
  2. Client will redirect the user to the login and authorization prompt
  3. User authenticates through the auth server UI.
  4. Auth server will send a request back to the given redirect url with code and state parameters.
  5. The client will make another call with code, client is and secret to get the access token
  6. Client will make the final call with the access token to access the protected resource.

OAuth 2 Implicit

This is same like Authorization code grant except Authorization server will issue a access token immediately without issuing a authorization token first.

OAuth 2 Resource owner password credentials

User will provide the user name and password to the client application to communicate with the authorization server and get the token.

OAuth 2 Client credentials

The client credentials (or other forms of client authentication)
be used as an authorization grant.

Let’s Learn some other terms relevant

Vulnerabilities

In the Implicit Grant, the access_token, application wants to maintain the session after the user closes the page, and it will be stored in the session cookie. The problem is server can’t verify the validity of the token.

Other things to note

The OAuth 2.0 protocol is not backward compatible with OAuth 1.0.

Token Types

1. Access tokens are credentials used to access protected resources.
The access token provides an abstraction layer, replacing different
authorization constructs with a single token understood by the resource server. This abstraction enables issuing access tokens more restrictive than the authorization grant used to obtain them, as well as removing the resource server’s need to understand a wide range of authentication methods.

Authentication Token vs Access Tokens

Access tokens are self contained token and hence they should be stored securely and if it go to wrong hands they will have the access with no issues.

Client Registration

The client application must first register with the authorization server associated with the resource server. At registration the client application is assigned a client ID and a client secret (password) by the authorization server. client SHALL provide its client redirection URIs

Endpoints

  1. Authorization endpoint
  • Public clients.
  • Confidential clients utilizing the implicit grant type.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nuwan Zen

Nuwan Zen

Sometimes A software Engineer, sometimes a support engineer, sometimes a devops engineer, sometimes a cloud engineer :D That’s how the this life goes!