Skip to content

Latest commit

 

History

History
33 lines (30 loc) · 3.39 KB

OAuth 2.0.md

File metadata and controls

33 lines (30 loc) · 3.39 KB

What is OAuth 2.0?

OAuth 2.0 (Open Authorization 2.0) is an authorization framework that allows third-party applications to obtain limited access to a user's resources on a server without exposing the user's credentials. In simpler terms, OAuth 2.0 is a protocol that enables secure access to your data on one website (or application) by another website or application, without sharing your username and password directly.

Here are the key components and concepts of OAuth 2.0:

  • Roles:
    • Resource Owner: The user who owns the data and can grant access to it. For example, you, as a user, are the resource owner.
    • Client: The application that is seeking access to the user's data. This could be a mobile app, a web application, or any other type of application.
    • Authorization Server: The server responsible for authenticating the user and obtaining their consent to grant access to the client. It issues access tokens.
    • Resource Server: The server hosting the protected resources. It verifies the access tokens and serves the requested data.
  • Authorization Grant Types:
    • OAuth 2.0 defines several ways in which a client can obtain authorization. Common grant types include:
      • Authorization Code: Used by web applications. The client is redirected to the authorization server, and after authorization, it receives an authorization code that can be exchanged for an access token.
      • Implicit: Designed for client-side applications (like JavaScript running in a browser). The access token is returned directly in the URL fragment.
      • Resource Owner Password Credentials: The client collects the user's username and password directly, but it is generally discouraged due to security concerns.
      • Client Credentials: Used for server-to-server communication where the client is the owner of the resource.
  • Access Tokens:
    • An access token is a credential that represents the authorization granted to the client. It is a string that the client includes in its requests to access protected resources on behalf of the resource owner.
    • Access tokens have a limited lifespan and are used to authenticate and authorize requests during that period.
  • Refresh Tokens:
    • In certain scenarios, a refresh token is issued along with the access token. The refresh token can be used to obtain a new access token without requiring the user to re-authenticate.
  • Scope:
    • Scopes define the extent of access that the client is requesting. When the user grants authorization, they are specifying the scope of access the client is permitted.
  • Endpoints:
    • OAuth 2.0 involves several endpoints, including the authorization endpoint (where the user grants or denies access), the token endpoint (where the client exchanges the authorization code for an access token), and others.
  • Example Workflow:
    • The client requests authorization by redirecting the user to the authorization server.
    • The user authenticates and grants permission.
    • The authorization server redirects the user back to the client with an authorization code.
    • The client exchanges the authorization code for an access token.
    • The client uses the access token to access the protected resources on the resource server.

OAuth 2.0 is widely adopted and provides a flexible framework for secure and delegated access to resources. It is used by many major platforms and services to enable third-party applications to interact with user data in a secure and controlled manner.