OAuth 2.0

What is OAuth 2.0?

OAuth 2.0, short for Open Authorization, is a protocol that acts as a framework or set of specifications designed to allow applications to obtain limited permissions to access certain devices or protected resources. This can occur either in the presence or absence of a user, such as an application requesting data from a server without any user involvement. To ensure the secure granting of permissions to applications, various terms and mechanisms have been established within OAuth 2.0.

Key OAuth 2.0 Terms

Resource Owner

The party or entity that possesses the data and can grant permissions to access protected resources. The resource owner could be the client itself or, if it’s a person, referred to as the End-User.

Resource Server:

The device that contains data, APIs, or protected resources that are being requested for access.

Authorization Server

The device that grants the permissions to access data or APIs.

Client

Not to be confused with a person, this refers to the software application seeking to access some protected resources from the resource server.

Access Token

A string used by the client to access the resource server and obtain the protected resources. The composition of this token can vary depending on the token type, such as the JSON Web Token (JWT), which consists of three parts:

- Header

Contains the algorithm used for token creation and the token type.

- Payload

Holds the token’s data content, including the issuer (Issuer), sometimes the user or system roles (Roles), a reference number (Sub), and other claims.

- Signature

Verifies the token’s authenticity.

Claims

Data used in the authentication and authorization process to assert information like user or client details, roles, or permissions.

Scopes

 A mechanism that restricts the client by granting specific permissions but not others. The client cannot access resources beyond these designated permissions without acquiring a new access token.

Types of Clients

Clients are applications or software seeking authorization, either for themselves or on behalf of users, and are categorized into:

- Public Client:

An application that cannot securely store confidential data, such as mobile and desktop applications, or front-end web applications.

- Confidential Client:

An application capable of securely storing confidential data, like back-end applications and servers.

Grant Types or Flows

These are the methods or mechanisms through which the client application is authorized, either without a user or on behalf of a user. Each type of application mentioned previously has its way of performing the authorization process, differing based on user involvement. Sometimes, applications can obtain an access token for themselves to access APIs without any user interaction. The types include:

  • Client Credentials Grant.
  • Legacy: Password Grant

  • Legacy: Implicit Grant.
  • Authorization Code Grant.

  • Authorization Code With PKCE Grant
Blogs Related