Table of contents
OAuth 2.0 framework was initially built for Authorization purpose . But later on people developed a approach to Authenticate the user via OAuth . OAuth is use to have a communication between the services . OAuth 2.0 is the latest version . Before trying to understand OAuth we will understand what is Authorization ?
Authorization
It is a check to see if a User has the privilege to access a particular resource . If the user is having the privilege then only user can access that resource . We will try to understand it by some examples .
Restaurant Example
Suppose you are hungry and you see a restaurant near by . Now you can go inside the restaurant pick a table and order something to eat . So as a customer you are having a right to access only the public area of restaurant like dining area , washroom etc . But you can’t enter inside a kitchen only the cook and managers/owners have the authorization to enter inside the kitchen . A cook can’t enter the billing area or cash collection area , cook is also having access to some part of the restaurant . So the access rights are properly divided by the type of customer/employee .
Customer : Dining , Washroom
Cook : Dining , Washroom , Kitchen
Manager : Dining , Washroom , Kitchen , billing , Cash
Social Networking Apps Example
We all are using whatsapp or facebook in our day to day life , so we all are aware about the “Groups” in those applications . Suppose a group is of 100 members , out of which 3 are group-administrators and the remaining 97 are just group-members . The group-members are having the rights to post a content in the group or exit from the group . But a group-administrator will have the right to add any new member to the group , remove any member from the group or post a content ..
From the above examples we came to know that based on the designation or position we get to access a particular resource . So if a user is valid and user is having the right to access a resource then we say the user is having proper Authorization .
OAuth 2.0 authorization flows
Authorization Code Flow
You will get to know about ‘Authorization Code Flow’ as part of this article . This is the one of the most popular and most secure flow . We will start with a example so that it will be easier for you to understand .
oauth authorization code flow example
Suppose you got a new Job at ‘ABC Company’ . Before joining ‘ABC Company’ HR guys sends out a mail to you . In that mail you are having instructions for the OnBoarding process . Along with that they also share a website link ( abc.com/register ) where you have to go and fill your details . You also have to upload few documents . Now say the documents are not available on your local system instead they are available on your Google Drive .
While Uploading the documents ‘abc.com/register’ gives a option to ‘upload via Google Drive’ . When you click the upload button you will be delegate to a Google page where Google asks ‘About the authentication details and It asks a Question , Whether you are OK to share the documents with abc.com/register’ . Now if you fill the valid login details and say you are OK to share the documents and click OK , then the documents gets upload to abc.com/register through Google Drive .
This is what OAuth Authorization Code Flow Is . OAuth helps to have a communication between the services . ‘abc.com/register’ and ‘Google Drive’ are 2 services in our above example and they are communicating via OAuth .
Now what happens at the background in the above process we will try to understand that , but before that we should be aware about few terminologies .
OAuth Terminologies
Resource
It is a entity which can be utilized . ‘Documents’ are the Resource in the above example .
Resource Owner
User who is giving permission to access the resource OR we can say to whom that Resource belongs to . In the above example you are the ‘Resource Owner’ as you are giving permission to access your documents .
Authorization Server
The server which authorizes the ‘Resource Owner’ . Google is the authorization server in our case . Authorization server will have the details regarding the ‘Resource’ and ‘Resource Owner’ . So ‘Authorization Server’ will check if the credentials provided by User are valid and it also checks if the User is having the privilege to access the resource .
Resource Server
The place where your resources are hosted . In the above case ‘Google Drive’ is the ‘Resource Owner’ as your documents are stored there .
Client
One who is making the request on User’s behalf ( OR Resource Owner behalf ) . ‘abc.com/register’ is the Client as it is the one who is asking for documents on your behalf .
Steps for Authorization Code Flow
1 . ‘Resource Owner’ Calls ‘Client’
‘New Employee’ will make a call to ‘abc.com/register’ and start the registration process
2 . ‘Client’ Calls ‘Authorization Server’
While Registration Employee will click on ‘Upload Documents Via Google’ button , which will delegate the employee to ‘Google Drive Authorization Server’
3 . ‘Authorization Server’ Calls ‘Resource Owner’
‘Google Authorization Server’ will send a request to ‘New Employee’ asking are you the one who are giving permission to ‘abc.com/register’ to access your documents .
4 . ‘Resource Owner’ Calls ‘Authorization Server’
‘New Employee’ replies back to ‘Google Authorization Server’ and says Yes i am the one who is granting privilege to share the resources with ‘abc.com/register’
5 . ‘Authorization Server’ Calls Back ‘Client’
‘Google Authorization Server’ generates a authentication token and sends it back to ‘abc.com/register’
6 . ‘Client’ Calls Back ‘Authorization Server’
‘abc.com/register’ sends back the same ‘Authentication token’ to ‘Google Authorization Server’ . So as to remind ‘abc.com/register’ is the authenticated client which wants access to employee’s documents .
7 . ‘Authorization Server’ Calls Back ‘Client’
‘Google Authorization Server’ generates a ‘Access Token’ and send it to ‘abc.com/register’ .
Access Token
Access Token is a piece of information which says if the user is allowed to access a particular resource . ‘Google Authorization Server’ creates a token such that the ‘Client’ will only have rights to access and upload the resource . Using that token ‘Client’ won’t be able to Create/Modify/Delete any documents for that employee .
[ Because if you remember , earlier a question was asked to ‘Google Resource Owner’ for access / upload rights and the Owner has given the access / upload privilege only , it did not provide any privilege to Create/Modify/Delete any resource ]
Ex : Json Web Token is a type of Access Token . To get more info on JWT please click here .
8 . ‘Client’ Calls ‘Resource Server’
‘abc.com/register’ will make a call to ‘Google Resource Server’ using the access token which was created earlier . ‘Resource Server’ will recognize the token and check the privileges mentioned in the token and once the token is verified the ‘Resource Server’ will provide the documents to ‘abc.com/register’ and thus the documents gets uploaded on the ‘Client’ .
I have covered OAuth 2.0 Authorization Code Flow as part of this article . For Understanding remaining two Oauth flows please click the Corresponding links Implicit Flow / Client Credential Flow .
If you like this article please share it . If you want to add anything extra please comment below and write to me if i have gone wrong anywhere .