My first interaction with oAuth was dated about 10 years ago while I was doing some research over social media data mining during the social media frenzy. I was pretty impressed with how oAuth was designed to allow Facebook users to authorize sharing their profile and other information like their posts and friends on Facebook to any third party apps without giving out anything beyond authorized explicitly by the user. It is a really clever design.
Over years, I have learned how oAuth has been standardized and extended beyond its original usages, like OpenID so that it can be used to provide authentication to different apps through the form of social logins. I have been also involved in projects to use oAuth to facilitate Single Sign On for multiple applications within a big organization. It is beautiful that an enterprise user does not need to create and maintain multiple accounts, one for each application the user needs for their daily work. oAuth by its design, keeping one single source of login credentials for one user, while allowing different authentications and authorizations for different application systems.
Another impressive development is how oAuth has allowed abstraction of the need for authentication and authorization, and developed into a new software development pattern, called Identity as a Service. Identity as a Service, provides cloud based identity management service off the shelf, so that a new application does not need to invest time and effort to create its own authentication system. While it helps greatly reduce the time to market for a new app which is critical for startups, its flexible pricing model such as pay-as-you-go pricing, really serves well for new startups to avoid the initial huge investment in order to get an app running by delegating out its authentication features to identity cloud service providers.
On the other hand, for the same reason that how oAuth is so flexible and widely developed and used for many different scenarios, the literature online around oAuth has been very confusing, full of different terminologies and sometimes partial or erroneous information. The learning curve is pretty high when it comes to oAuth, compared to other engineering topics. I have been always frustrated myself during this process, and decided to write up a few articles and organize them into a tight series around oAuth, with the simplest concepts possible and a few running examples to help reduce the initial learning hurdles for starters on oAuths. The series would include the following articles:
Setting up Implicit Grant workflow in AWS Cognito,Step by Step: Step by step set up Implicit Grant workflow on AWS Cognito - the simplest way to start using AWS Cognito User Pool; how to use example.com to test it out; how to use the access token to retrieve other information; how callback url is checked for security reasons.
User authentication through authorization code grant type using AWS Cognito: How Authorization Code Grant Type works differently from Implicit grant type; why is Authorization Code better than Implicit Grant? What endpoints do we need to support authorization code grant type?
AWS Lambda function for authorization code grant type using AWS Cognito: Sample code exchanging code with a token; A video showing how it works with the web app? Github repo over lambda function supports authorization code.
How to integrate Cognito for iOS/MacOS: how to set up callback url in Article 1 for iOS/MacOS apps; sample code walkthrough of oAuth calling and url parsing; video of a running app in both iOS and MacOS; point out why we need authorization code grant type instead of implicit grant;
How to integrate Cognito for angular web: how to set up callback url in Article 1 for web apps; sample code walkthrough of oAuth calling and url parsing; video of a running app; point out why we need authorization code grant type instead of implicit grant; github repo and local development;
How to integrate Cognito for Chrome extension: how to set up callback url in Article 1 for chrome extension; how to call oAuth endpoint in extension; sample code walkthrough of oAuth calling and url parsing; video of a running app; point out why we need authorization code grant type instead of implicit grant;
As you can see, in this series, we use AWS Cognito as the only identity cloud service. However, most of the knowledge that is covered in this series, can be generalized to any other identity service providers, including Okta, Ping Identity, Auth0, and social login providers like Facebook, Google and Linkedin. I hope that by following through the series above, developers can understand how oAuth works with a few simple but working sample projects using AWS Cognito and then carry them over to any other identity provider that they need to work with. This is not an endorsement of AWS Cognito over other identity service providers. Please do your due diligence before committing to any platform as it is an important decision and which one to choose is really dependent upon the nature of the projects.
If you would like to cover anything related to oAuth but not included above, please feel free to comment which may influence my next focus.