OAuth 2.0
An Introduction
What is OAuth 2.0?
When you try to sign into a new application/website, you are provided with options as follows:
- Provide user details (Name, password, email ID, etc.)
- Sign in using Google, Facebook, or Twitter.
The second option of signing in is basically what OAuth is. So, OAuth 2.0 is a concept that most of us use daily when creating new accounts.
But we are unaware of the fact that we are using it. The figure below shows the front end of a third-party web application allowing users to authorize themselves to use OAuth 2.0.
In technical terms, OAuth 2.0 specifies a process for resource owners/users to authorize 3rd party access to their server resources without sharing their credentials.
In more understandable terms, it is a concept where you (the user) allow a 3rd party application (let us assume it is a property selling website/application) to authorize you to use a resource server (like Facebook/Google) that you are already authorized with.
In the following sections, let us learn about the underlying concepts and technologies of OAuth 2.0.
Entities of OAuth
- Resource Owner: The User
Example: John / Yourself - Client: The third-party application
Example: www.property.lk - Authorization Server: The server authorizing the client app to access the resources of the resource owner.
Example: the Facebook authorization server - Resource Server: The API where the secured information of the resource owner is stored.
Example: Facebook Resource server
How does OAuth work?
Even though this process makes our day-to-day internet surfing easier, the workflow of OAuth2.0 has a considerable number of steps.
The diagram below shows the workflow of OAuth 2.0.
Tokens used in OAuth 2.0
In the diagram above, there is a mention of two tokens.
Let us get to about what these tokens are and what their functionality is.
1. Access Token (Shown in Blue)
The access token is used to access information of the resource owner from the resource server. This token has a validity period and expires after the validity period.
2. Refresh Token (Shown in Red)
This is a token used by the 3rd party applications to exchange a refresh token for a new access token when the access token expires. It is a one-time-use token. Once used, a new Refresh token will be received.
Token Revocation
The term “Token Revocation” comes into use when the resource owners no longer want to access the 3rd party application. The access token and refresh token are invalidated/revoked in such cases. Once the tokens are revoked, the authorization server no longer maintains any information related to that authorization.
If the same example above is used,
let's assume that John no longer wants www.property.lk to access his email address from the Facebook server. John will take necessary action to avoid www.property.lk from accessing his information from the Facebook server (shown in the diagram below). In a scenario like this, the Token Revocation happens.
The End
These are the basic theoretical concepts running behind OAuth 2.0.
