I have been working with OAuth2 for nearly half a decade. All I wanted is a simple and clear document explaining the three questions in the title. Let’s get into the answers to the questions.
What is OAuth2?
OAuth2 is a way of authentication/authorization. We need to authenticate an API as we need privacy for our data.
I can’t allow my friends to ready my chats
Why is OAuth2?
OAuth2 is the best way to authenticate an API. It eliminates the pitfalls in Basic, API Key, and OAuth1 Authentication methods.
Before how? Let’s have a glimpse at the other two types of API authentication.
Here, we send our credentials (username & password) in every request in the headers to authenticate. Anyone can just intercept and get your credentials easily.
Your secret is no more a secret
API Key Authentication:
This time, the resource server will give an encrypted secret key. We should send the key in every request to fetch the data. Wait! Even now I can get the API Key and steal all your data as the API key is valid forever. Maybe until I close my account.
Still, the secret is not maintained as a secret
Here comes OAuth2,
To make the process a bit complicated and the data secured.
How is OAuth2?
The zeroth step is, registering the client. The Client Application should register at the authorization server with a name, homepage, and redirect URL.
On successful registration, the client will get a client ID and client secret. Which is used by the authorization server to identify the client.
Let’s get into the steps,
1. The user is logging in to an App to see his data.
2. The App (Registered Client) sends a request to the authorization server to identify the user. In this request, the client ID, client secret, redirect URI, and scopes are sent. Scopes are defined by the resource server and are used to identify what type of data the client wants to access.
3.1. If the client details are correct, the authorization server will authenticate the user by logging in.
3.2. On successful login, a consent page will be shown where the user authorizes the client to access the data.
4. After authentication & authorization the client app will receive a grant token/authorization code. Which holds the reference to the user permitted data.
5 & 6. Now, the client will send a request to the authorization server for the access token. In the request, authorization code/grant token, client ID, client secret, and redirect URI will be sent. Along with the access token, a refresh token can be generated.
7 & 8. Now the client can send a request to the resource server and fetch data using the access token. The resource server will communicate with the authorization server to do the token validation.
9. If the user is logging out from the app/client, the refresh token will be revoked.
If the access token expires, steps 5 & 6 will be repeated with the refresh token.
Steps 7 & 8 will be repeated by the client to fetch data from the resource server.
OAuth 2.0 is the industry-standard protocol for authorization. Widely used by most the tech giants.
Thanks for reading, Happy Authenticating!