Let’s deep dive into OAuth2
What problems are we solving ?
As a developer, we always have this question in our mind before learning anything new. Why do we need that ? What problems are we solving. Let’s understand this by taking an example.
There is a third party application name PostAnalyser. What this application is doing it will take all your posts from LinkedIn and give you data that how many people have viewed/liked/commented or share your posts. For that, it needs data from LinkedIn. You should not simply pass your LinkedIn credentials to third party application. They can misuse your credentials to do anything on behalf of you. We will be solving these kind of problems with OAuth2.
What is OAuth2 ?
Okay, Now we understood what problem we are solving but what is OAuth2. Is it a software/ library or a framework? The answer is it’s none of them. It is not some code which you will put on your application and all things will start working automatically. It is a standard/specification based on this there are many products develop under the industry. Consider it as an interface/ protocol or standard.
Note: Before going further let’s understand some terminologies which we will be using further.
Terminologies:
- Resource Owner: This is the end-user.
- Client: Third-party Application which wants access to a protected resource on behalf of the Resource Owner.
- Auth Server: Server that authenticates the Resource Owner and issues access tokens after getting proper authorization.
- Resource Server: This is the server that is hosting the protected resources.
OAuth2 sample flow:
Let’s take an example of our PostAnalyser app. They want to fetch the data from linkedIn. Now they will talk to linkedIn team and register themselves as clients. So that User can do the authentication via linkedIn server. Now when we will try to login to PostAnalyser. They will redirect to linkedIn server and now we are giving our consent to linkedIn that authorize PostAnalyser to access the posts data only. It uses tokens to share the data instead of sharing credentials so in that way our other data is safe.
Advantages of OAuth2:
- It uses single sign-on (SSO). The advantage of SSO is that we can have one set of login credentials for multiple applications.
For ex: We have a banking domain that contains multiple applications like loan service, credit card service, net banking e.t.c to have separate users/passwords is a real pain. It’s hard to remember all the credentials for users. So they end up doing a password reset multiple times. Single sign-on will solve this problem to some extent. For all bank-related services, we can have just one set of login credentials.
- This relies on SSL to ensure data between the web server and browsers remain private.
- It uses the tokenization method to give limited access to the user’s data instead of simply passing the user’s info.
Architecture:
With the help of the above diagram we can understand how the OAuth flow will work:
- There is a user who wants to access some of their resources for a third-party application (Client).
- The client application will redirect them to the first auth server for proving their identity by hitting authorize endpoint of the auth server.
- When they will prove their identity to auth server (For ex: if it’s via UI they have to fill in their credentials).
- Auth server will share the code with the client.
- The client application has to hit the token endpoint of auth server with the authorization code.
- Once, the Client application will get the access token. They can start accessing the resources from the resource server.
Note: For some cases, auth server and resource server can be the same.
Flows:
There are some popular flows for implementing OAuth2.0 in your application:
- Authorization grant type flow
- Client credentials flow
- Password grant type flow
- Implicit Flow
- Refresh token flow
Note: In the next article, we will learn how to implement this in your application.
Thank you Happy reading.
