OAuth stands for Open Authorization. It’s a free and open protocol based on Open Web Foundation IETF standards and licenses. It enables users to share with a third party their private resources while keeping their own credentials confidential. Photos, images, contact lists, location and billing capabilities, and so on maybe these tools, and they are typically stored with another service provider. OAuth does this by issuing a token to the requesting (client) applications until the user approves access.
What is OAuth2.0?
OAuth 2.0 is the industry-standard authorization protocol. OAuth 2.0 focuses on the versatility of client developers by supplying web apps, desktop applications, cell phones, and living room devices with unique authorization flows.
OAuth adds a layer of authorization and distinguishes the client’s function from that of the owner of the resource. In OAuth, the client demands access to resources managed by the owner of the resource and hosted by the resource server, and a token set other than that of the owner of the resource is given. Instead of using the credentials of the resource owner to access protected services, the client obtains an access token-a string denoting a particular distance, lifetime, and other attributes of access.
The different terminologies used in OAuth2.0:
- Resource owner- The person who authorizes an application to access their account is the resource owner. The access of the application to the user’s account is limited to the scope of the permission given (e.g., read or write access).
- Client- The client is the program that will attempt to access the account of the user. Before accessing the account, it needs to be approved by the user. For instance, a client application may present a login page to the user to obtain an access token to access a specific resource.
- Authorization Server- The authorization server validates user credentials and uses an authorization code to redirect the user back to the client. To validate its identity, the client communicates with the authorization server and exchanges the code for an access token.
- Resource server- A resource server is a resource-protected access server. This handles authenticated requests from an app that has a token of access.
- Scope- This defines the access level that the application demands from the client.
- Consent- The consent screen shows the users you are requesting access to their information and what kind of information you are requesting access to.
Grant types used in OAuth2 protocol:
- Authorization Code Grant- this is the most widely used grant type.
- Resource Owner Credentials Grant- In cases where the resource owner has a trust relationship with the client, such as a highly privileged application, the resource owner’s password credentials grant form is sufficient. When allowing this grant form, the authorization server should take special care and only allow it when other flows are not viable.
- Client Credentials Grant- The client can request an access token using his/her client credentials through this flow. These are again of two types:
- Confidential- Clients capable of maintaining the confidentiality of their credentials. Confidential clients are implemented on a secure server with restricted access to the client credentials (e.g., a web application running on a web server).
- Public- Clients incapable of maintaining the confidentiality of their credentials (e.g. an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.
- Refresh Token Grant- These grants respond with a refresh token which enables the client to refresh the access token.
That’s it! Now, you have got a pretty clear idea about the basics of OAUTH2.0 . You can now start implementing OAuth flow in your application.