Oauth 2.0 , i.e., open authorization, is an approval to grant/delegate access. It is meant for a service to authorize another service with more security.
It is a token-based authorization where authorization code and access token is generated to access the data allowed by the authorization server. This means without sharing actual credentials with the client application and authenticated token gets generated from the authorization server and is shared with the client application with limited access so that required data can be accessed by client multiple times.
Moreover, Expiry of the access token can also be set, and a new token can be generated using refresh token once the granted time is over to make sure the token will only be used by the authorized client even if it gets disclosed, which makes more secure.
Authentication and authorization though used interchangeably have a difference. Authentication is used to check whether the user does exist in the system. Authorization is about whether the user exists or not. It is just about if the user is authorized to access the service that’s what done by Oauth.
A similar analogy is given by SSO; if the logged-in user exists in the active directory, then the user is allowed to access any application.
Why Oauth 2.0?
- Oauth is used to provide limited access to the data for the client application without sharing credentials and no more concerns about the authentication that means if the client application is authorized, then application is allowed to access the authorized data of the user, which makes more easy and simple.
Nowadays, this is used widely. For instance, if you want to sign up with any new downloaded application or website, Oauth provides option to sign up using Google, Facebook, or Twitter once you authorize any of the options. You are authorizing Google or Facebook to share the user data such as name, email id, etc., with the downloaded application or website. You are identified as a recognized user and allowed to enter in the application. This is all done by Oauth (Open authorization).
Registration with the authorization server
The client application must first register with the authorization server associated with the resource server. This is a one-time task and a mandatory process, post which client id and client secret key are generated by the authorization server. This is used to generate authorization code and access token.
You may use any authorized service provider to register the same such as Google Cloud, Git etc.
To register, you may require purchasing subscription to generate the token any number of times. You can also avail the free trial.
Generation of authorization code
To generate an access token, you must have an authorization code.
A post call is then made to the authorization server, which can ask the owner to authenticate himself and authorize the application to share the data. Once the owner authenticates and authorizes the resource provider, then it provides authorization code to the client application using which token is generated.
The above sample is a request for a Google authorize server.
- Scope – This is to limit the access of the request such as readonly, write-only, read/write both
- Response_type – This is a mandatory field and should be set to code
- Redirect_uri – Post authorization, the request should be redirected to this Uri.
- Client_id – This is a mandatory field that is given by the authorization server during registration.
Getting access token and refresh token using authorization code
The access token is granted to access specific data: for example, if a token is granted to access an employee’s data does not grant other accesses such as department or Accounts data etc, then the request can be sent multiple times to access the employee’s data until the token lifetime over Access tokens are associated for lifetime, as mentioned above; therefore, refresh token can be used to generate a new Access token.
- Code – Authorization code received from the abovementioned process.
- Client id – This is a mandatory field given by the authorization server during registration.
- Client_secret – This is the mandatory field given by the authorization server during registration.
- Redirect_uri – Post authorization, the request should be redirected to this uri.
- Grant_type – “authorization_code” using which token is requested[NS9]
The refresh token can be accessed using grant type as refresh token [NS10] as per the request below.
refresh_token = “jfoedf4548”
Some Oauth service providers: