1. OAuth (Open Authentication) 2.0 is an authorization framework.
2. It provides authorization flows for various apps, IoT devices, and mobile devices.3. An authentication protocol.
4. Two different applications or platforms can talk without sharing passwords, and other confidential data, providing limited access.
For example, you have a bank account. You need some cash, but the nearby ATM machines are not working. You cannot go to the bank due to some personal reasons. You write a cheque, and request your friend to go to the bank. Just understand this, you delegate some rights to your friend to get the cash. The friend goes to the bank, get the cheque encashed, comes back to you, and then you receive the cash. This is the complete process where you don't share your password, PIN and other confidential data. Your friend can see only the limited information (name, signature, account number etc.).
Let's understand how it works in our software world
For example, you enter the user id and password to log in to your social media account. This is a straightforward process. Whenever you want to use the account, just enter your credentials.
There is a third-party app - techntoast that you want use, but the app requires your name, email id, and other normal information. It is a very long form that you don't want to fill out. You see one more option to indirectly sign up for techntoast, via your social media account. In this scenario, select the option, give your permission to provide an access token to techntoast. The social media account contains your user id, password, and other important information. But only limited details are shared with the third-party app. The social media company never shares your password. Only your name, email id, and other information that is enough to identify that you are the same user who is going to use techntoast.
OAuth uses an authorization server to give access token to third-party clients.
Let's make it more clear. For example, a third-party app wants to access your details that is possible via an API. But, that third-party app could be a hacker or a malicious application. It is very important to authorize only the genuine apps to use your information, there "Authorization Server" comes into the picture, which is responsible to protect the data. The server generates an access token, which is given to third party apps to access your data. It is provided when you give the permission.
Please ensure that the third-party app uses SSL (Secure Sockets Layer), which protects your information and the access token. If you look at the major sites like Microsoft, Facebook, Google, Twitter, LinkedIn etc. all have SSL certificate. OAuth 2.0 relies on SSL (Secure Sockets Layer).
====================
Let's understand this in the form of a conversation -
There are three characters in this conversation - Neeraj, Techntoast, and Social Media Account or SMA.
Neeraj says, "Hello, Techntoast, I want to use your site".
Techntoast says, "Sure, Neeraj. You can use me via SMA. Please select the desired option."
SMA says, "Hello, Neeraj, techntoast wants to use your data that is stored in our server".
Neeraj says, "Hey, SMA, I want to allow techntoast to access my SMA information, but I don't want to share my password and other confidential data".
SMA says, "Don't worry, Neeraj. My authorization server will provide only limited information like your name, emails id, and other publicly available data."
SMA says again, "Neeraj, do you want to allow the server to issue an access token to Techntoast?"
Neeraj says, "Yes, please go ahead".
SMA says, "Hello, Techntoast, this is your access token. You can access Neeraj's data."
SMA says, "Hello, Neeraj, I am sorry to have you disturbed again. I just want to say that Techntoast can use your data until you revoke the permission"
Neeraj says, "OK, I understand this."
====================
OAuth uses API to complete its operation. The resource server (managing and protecting your data) is the Application Programming Interface server. And, the authorization server also works as the API server. But, in a big and complex environment, we will build a separate authorization server.
====================
Let's see how it works between a server and a client (an app)
1. An authorization request looks like this -
https://Server. com/oauth2/authorize?response_type=code&client_id={client_id}&redirect_uri={redirect-uri}&scope=read&state=1234abc
https://Server. com/oauth2/authorize - The Authorization Endpoint.
response_type - It says that your application wants to receive an authorization code.
client_id - The client id (4653842397506098) of your application. This is the id that you receive when you create and register your application.
redirect_uri - It is set to the URL (https%7B%app. com - callback) where you are redirected after completing the authorization request.
scope - It talks about the level of access (Read).
state - A random string. The same value should be returned after authorizing the app.
====================
2. When you authorize the APP -
You log in to your account to authenticate your identity. Then, you allow the app to access your data (basic information). You are redirected with an authorization code:
https://app. com/redirect?code=AUTHORIZATION_CODE&state=1234abc
code - The authorization server returns the authorization code (weN679hgER3498VBNMH8907).
state - The same value.
====================
3. Token Exchange - The authorization code is exchanged for an access token.
An access token is requested from the API. The authorization code, the client secret, and other important details are passed to the API token endpoint.
Post request:
https://Server. com/oauth2.0/token?grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri={redirect-uri}&client_id={client_id}&client_secret={client_secret}
grant_type=authorization_code - The grant type is authorization_code.
code - The authorization code.
redirect_uri - The same redirect URI that is included in the original link.
client_id - The application’s client ID.
client_secret - It includes the client secret. A secret between the application and the authorization server.
====================
4. After verifying all the parameters, the API sends the access token to the application.
{"access_token":"FBVINVFIF689548JNFV974","token_type":"bearer","expires_in":3600,"refresh_token":"VBHFFFBBD63468KV87","scope":"read"}
access_token - It is issued by the authorization server.
token_type - If you use "bearer", it says, "please provide access to the bearer of the token". The bearer of the token can access the API.
expires_in - It will expire in 3600 seconds.
refresh_token - This is optional. If expired, then a new access token will be generated.
Now, this access token can be used for API requests.