DEV Community

Ramu Mangalarapu
Ramu Mangalarapu

Posted on

Basics of OAuth2.0 protocol

Hi,

Today, let's try to understand what is OAuth and why use it.

Whenever you login into any website or mobile App, you see the options like Login with Google, Facebook, Twitter right ?

The mechanisms used behind those options are OAuth. Let's take one example and follow it till the end to understand what OAuth really means.

Suppose you want to Sign Up for new App where you can order food online (food ordering App). You visited their website. In OAuth terms we call this client Application. Now, you can see option Login with Google and you clicked on it. Here Google is Authorization Server or/and Resource Server and your the Resource Owner.

When you can click of food ordering website (OAuth client Application) will redirect you to the Google Authorization Server login page.

Before this our food ordering Application registers with the Google by asking could you please provide authentication to my Application, then Google says Oka, Sure and gives you the Client ID (App ID) and Client Secret (App Secret). These two things should be used by our client App whenever there is authentication involved with Google. Client App should never expose it's credentials in front end.

Now, you as Resource Owner (because you have resources on Authorization Server) Sign In into Google, then Google prompt you saying, Do you want to allow this food ordering App to access your profile picture, email and language settings like some data requested by food ordering App (the things requested by the food ordering App for your data is called Scopes, such as email, phone, etc. ). Google will also display the link to Privacy policy of our client App (food ordering App) and terms of services.

Usually you proceed to give consent to the scopes requested by client Application.

Example of consent screen from Google.

Consent Screen

Now, our Client App i.e. food ordering App have access to yours profile image, email and language settings.

Then our food ordering App redirects you to the listings of restaurants near by you to order.

Sounds simple right ?

Yes it is simple if we can understand the roots of it and core problem it is solving. In fact we call the above process called access delegation. How ? because you as resource owner giving access to your data to the client application from your authorization server in return for what ?.

Let's dig bit deeper into it !

Official website of OAuth: https://oauth.net/

And finally this link without fail :)
https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

Now simply, we could say OAuth is authorization framework (protocol).

Current Version of OAuth is OAuth2.0

You can understand the history about OAuth here

Let's try to understand OAuth2 terms involved in it. As it's framework, we need to follow the documentation such rfc.
Here are the few terms you need to understand without fail :

Resource Owner: You or actual user who wants to access Apps where they provide Login with X options (USER).

Client App: Website or mobile Application who wants to enable Login with X option on their login pages (eg, website a-non-existing-food-ordering.com).

Authorization Server: The one who has Resource Owner data such as Google, Facebook, Twitter etc... (gooogle.com)

Resource Server: The one which provides data to the client Apps based on the token they receive, sometimes both Authorization Server and Resource Server can be same (google.com).

Actors Of OAuth2.0

Now, let's understand the URL flows involved in it and try to see different terms in it. Please follow below excellent OAuth2.0 Playground and you can read complete website, it is really good resource and sponsored by Okta.

Please visit here without fail to understand the all different OAuth2.0 flows and you can play with them.

https://www.oauth.com/playground/

Hope you got some understanding about OAuth protocol now.

Thank you for reading it.
I wish all the best for your goals.
Happy Learning and Coding :)

Discussion (0)