Unlocking the Power of OAuth 2.0: A Comprehensive Guide to Modern Authentication and Authorization
Deep Dive into OAuth 2.0 Authorization
Before going in depths of OAuth 2.0 directly lets first understand the concept of security, authentication and authorization.
Security/Protected APIs
In terms of Computing we can call APIs as resources, in order to make sure server resource is only being used when from a trusted source, we need to protect them.
And to protect these resource we need someway to that can be passed to resource server and server can understand client is trusted.
Authentication
Authentication defines who you are, and there are several ways to authenticate for example passwords, PINs, Biometrics and etc.
Authorization
Once your identity is verified, authorization defines what permission do you have to do something.
Authorization always comes after authentication.
Main, purpose of authorization is around access rights and priviledges.
Roles and Permissions
Role - What persona does a person holds ?
Permission - what all actions are allowed and not allowed for a role.
OAuth 2.0
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
Reference - https://datatracker.ietf.org/doc/html/rfc6749
Terminologies
Resource Owner
Anyone capable of granting access to a protected resource.
Resource Server
Server that is hosting protected resources, capable of consuming access tokens.
Client
Application sending requests for protected resource on behalf of resource owners.
Authorization Server
Server that performs authorization by issuing tokens to the client.
Generic OAuth 2.0 Flow
Authorization Grant
it is resource owner credentials authorization to get access token. There are different types of authorization grants
Authorization Code
Implicit (Not recommended)
Resource Owner Password Credentials
Client Credentials
We will deep dive into few of them later as part of this article.
Access Token
Its string representation of an authorization issues to client that will be used by client to access a protected resource.
There are different types of access tokens available to use
Opaque
atfqI-QW3HXqF1hkot1e6hJDIj4qHnwTEUXiGJFf09k.SRHhlx6wlDz5GZncAr99HfM7FUbDQlUg73MapL0TJ2IBearer
Contains “Bearer“ keyword before token.
This token doesn’t contain any specific information.
Authorization server does its validation and return user related information.
Revocation of token can be done.
Authorization: Bearer <token>JWT
This token carries all information.
for example like - issuer, expiration time, permission and etc.
Validation can be done at consumer end, no need to call authorization server.
Revocation of token can’t be done using standard procedures.
To do so, you may need to implement blacklisting etc.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
Refresh Token
It is used to get access token when access token becomes expire or invalid.
By sending refresh token to authorization server, client can generate new pair of access token with same permissions.
It is only intended to use for authorization server.
Generally, the expiry time of refresh.
Now in terms of authorization code, we will only discuss authorization code and resource owner password type, as implicit is not recommended and client credentials is too straightforward.
Authorization Code Grant Type Explained
Resource Owner Password Credentials Grant Type Explained
By this time, I hope you must have got enough knowledge on OAuth2.0.
If you really like my content you can subscribe me below.
Youtube Channel - https://www.youtube.com/channel/UCpF3Y8AxzgYZnI8Zcf_G_fg
You can follow me on linkedin here - https://www.linkedin.com/in/suchait-gaurav-944479109/
Github Repo - https://github.com/suchait007