Estimated reading time: 6 minutes
Table of contents
OAuth 2.0 framework is use for Authorization purpose . If the ‘Client’ is very trust worthy or is a confidential client then we use Client Credential Flow . OAuth is use to have a communication between the services . OAuth 2.0 is the latest version . Before trying to understand OAuth we will understand what is Authorization ?
Authorization
It is a check to see if a User has the privilege to access a particular resource . If the user is having the privilege then only user can access that resource . We will try to understand it by some examples .
Restaurant Example
Suppose you are hungry and you see a restaurant near by . Now you can go inside the restaurant pick a table and order something to eat . So as a customer you are having a right to access only the public area of restaurant like dining area , washroom etc . But you can’t enter inside a kitchen only the cook and managers/owners have the authorization to enter inside the kitchen . A cook can’t enter the billing area or cash collection area , cook is also having access to some part of the restaurant . So the access rights are properly divided by the type of customer/employee you are .
Customer : Dining , Washroom
Cook : Dining , Washroom , Kitchen
Manager : Dining , Washroom , Kitchen , billing , Cash
Social Networking Apps Example
We all are using whatsapp or facebook in our day to day life , so we all are aware about the “Groups” in those applications . Suppose a group is of 100 members , out of which 3 are group-administrators and the remaining 97 are just group-members . The group-members are having the rights to post a content in the group or exit from the group . But a group-administrator will have the right to add any new member to the group , remove any member from the group or post a content .
From the above examples we came to know that based on the designation or position we can access a particular resource . So if a user is valid and the user have a right to access a resource then we call it as Authorization .
OAuth 2.0 authorization flows
Client Credential Flow
You will get to know about ‘Client Credential Flow’ as part of this article . We use this flow if the ‘Client’ is very trust worthy or the client is Confidential . We will start with a example so that it will be easier for you to understand .
Money transfer Example
Suppose you want to transfer some money to your friend . Your account is in Hdfc-Bank and your friend’s account is in Axis-Bank . You will login to your Hdfc-Bank website . Provide your friend’s ( beneficiary ) account details and the amount which you need to transfer . Now your account gets debited and your friend’s account gets credited . So what happens in background . How come Hdfc-Bank is able to credit the Axis-Bank account ?
Interbank Onboarding process
This is the very initial process which happens between banks . We will try to understand how Hdfc-Bank and Axis-Bank Communicate . Axis-Bank is having a On-boarding process hence whenever any bank wants to communicate with Axis-Bank then the other bank ( in our case Hdfc-Bank ) has to register with Axis-Bank . At the time of registration Hdfc-Bank can opt for the services which Axis-Bank is providing like :
- Crediting a Bank Account
- Status of the transaction etc
Say Hdfc-Bank opts for ‘Crediting a Bank Account’ , then Hdfc-Bank will have authorization to trigger only that particular service . Once the registration completes Axis-Bank will generate a ‘Client-Id’ and ‘Client-Secret’ and provide it to Hdfc-Bank . ‘Client-Id’ and ‘Client-Secret’ will be used in future to get the access token . Thus On-boarding process completes .
On-boarding Process Response
{
“clientId” : “HdfcBank-1”
“clientSecret” : “$$$$$$$”
}
Now whenever you want to transfer money from your Hdfc-Bank account to your friend’s Axis-Bank account . Below are the steps what happens :
- Firstly you login to your Hdfc-Bank website , provide your friend’s account details and the amount which you want to transfer . A message is generated and get posted to Hdfc-Bank Server . The message will look like below :
{
"payerDetails": {
"payerName": "Suraj",
"payerAccountNumber": "101111",
"payerBank": "Hdfc-Bank"
},
"beneficiaryDetails": {
"beneficiaryName": "Surya",
"beneficiaryAcountNumber": "345789123",
"beneficiaryBank": "Axis-Bank",
"ifscCode": "ABC1234"
},
"payoutDetails": {
"amount": "10000",
"currencyCode": "INR"
}
}
- Hdfc-Bank server validates the message and realizes the ‘Beneficiary Bank’ is Axis-Bank . Now as Hdfc-Bank has to communicate with Axis-Bank hence Hdfc-Bank needs a access token to make use of Axis-Bank service ( Crediting a Bank Account )
- Hdfc-Bank creates a authentication message using ‘Client-Id’ and ‘Client-Secret’ which was generated at the time of Onboarding process and send it to Axis-Bank . Axis-Bank verifies the details and creates a access token which is sent back to Hdfc-Bank .
Authentication Request :
{
"clientId" : "HdfcBank-1"
"clientSecret" : "$$$$$$$"
}
Authentication Response :
{
"access-token" : "aaa.bbb.ccc"
}
This access-token will be used to trigger Axis-Bank Services . Token includes the identity and privileges of the Hdfc-Bank . Json Web Token is a type of Access Token . To get more info on JWT please click here .
- The above access-token will be added to the payout request which was created in first step and the Credit beneficiary bank account request is sent to Axis-Bank . Axis-Bank verifies the access-token and confirms Hdfc-Bank is a valid client and it has already registered for ‘Crediting a Bank Account’ service . Hence the transaction takes place and your friend account gets credited .
{
"access-token" : {
"aaa.bbb.ccc"
},
"payerDetails": {
"payerName": "Suraj",
"payerAccountNumber": "101111",
"payerBank": "Hdfc-Bank"
},
"beneficiaryDetails": {
"beneficiaryName": "Surya",
"beneficiaryAcountNumber": "345789123",
"beneficiaryBank": "Axis-Bank",
"ifscCode": "ABC1234"
},
"payoutDetails": {
"amount": "10000",
"currencyCode": "INR"
}
}
I have covered OAuth 2.0 Client Credential Flow as part of this article . For Understanding the remaining two OAuth flows please click the Corresponding links Implicit Flow / Authorization Code Flow .
If you like this article please share it . If you want to add anything extra please comment below and write to me if i have gone wrong anywhere .