OAuth 2.0

SECTIONS

Introduction

OAuth 2.0 stands for Open Authorization and has been created for the purpose of permitting a website or an application to gain access to resources which are hosted by different web applications. This is done on behalf of a user. In other words, OAuth 2.0 gives access with consent and also limits those actions on resources which can be executed by the client application on behalf of the user, without sharing the details of the user.

OAuth 2.0 is standardized protocol which is used across the industry to get authorization. While the main purpose of this protocol is to maintain flow of authorization for web and desktop applications, it also ensures simplicity of the process for the client developers.

OAuth 2.0 primarily runs on a few principles which have been listed below-

  • It is important to not confuse OAuth 2.0 to be an authentication tool. It is only an authorization tool with the focus being on allowing access to certain set of resources.
  • OAuth 2.0 requires an Access Token. An access token is in the form of data which shows the authorization for accessing resources and does this on the end-user’s behalf. There is no fixed format for Access tokens, but the most commonly used format is JSON Web Token. This way, the issuers of the token are able to integrate the data with the token. Access tokens also come with expiration date to keep security intact.

It is interesting to know that one access token can give different levels of access to many APIs. Scope is one parameter which manages the resources to which access token gives permission.

The process of working of OAuth 2.0 is fairly simple. The first step is to seek client credentials. Next, a request is raised by the client application to get an access token from the server. At this stage, there are one or more than one values are sent to the scope parameter.  This is followed by extraction of token from the response and the token is sent to the particular API that needs to be accessed. Sometimes, it may be required to refresh the access token as they are applicable for limited time.