OAuth 2.0

Now a days APIs do a major role in software engineering, and accessing APIs from mobile devices are becoming very useful. So when it comes to that, OAuth2 is an excellent protocol for securing API services from
untrusted devices.

OAuth Roles

There are four major roles defined in OAuth

  1. Resource Owner
    • The resource owner is the user who authorizes an application to access their account. The application’s access to the user’s account is limited to the “scope” of the authorization granted (e.g. read or write access).
  2. Client
    • The client is the application that wants to access the user‘s account. Before it may do so, it must be authorized by the user, and the authorization must be validated by the API.
  3. Resource Server
  4. Authorization Server
  • The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application.

Overview

Basically OAuth 2.0 works as follows.

  1. User should give login credentials.
  2. Send a POST request from your app to API service.
  3. Validate the credentials and issue an access token to the user which expires after a certain amount of time.
  4. App stores this access token and use that to access the api.
  5. Once the access token is expired then app has ton get another token.

Grant Types

When it comes to OAuth 2.0 there are four grant types.

  1. Authorization code.
  2. Implicit.
  3. Resource owner password credentials.
  4. Client credentials.

Authorization code

oauth2-authorization-code

  • Client app sends a request to the authorization server.
  • Authorization server sends back the authorization code.
  • Then the client app exchanges that authorization code for an access token.
  • Then the client app uses that access token to access the resource.

Implicit

oauth2-implicit

  • Client app sends a request to the authorization server.
  • Authorization server request login credentials from the client app.
  • Then the authorization server sends back the access token.
  • Client app uses that access token to access the resource.

Resource owner password credentials

oauth2-resource-owner-password-credentials

  • User sends a request to authorization server with login credentials.
  • Authorization server sends back the access token after validating the login credentials.
  • Client app uses that access token to access the resource.

Client credentials

oauth2-client-credentials.png

  • Here instead of the user client app sends the request. Everything else is same as the request owner password credentials.

Hope you guys got a brief idea about oAuth 2.0. Feel free to leave a comment 🙂

Leave a Reply