Basics of OAuth

Jalaz Kumar · July 10, 2020

Web Development   Miscellaneous

Terminology

Authentication:

  • The act of proving an assertion, such as the identity of a computer system user.

  • In contrast with identification, the act of indicating a person or thing’s identity, authentication is the process of verifying that identity.

Authentication is the act of validating that users are who they claim to be.

  • Passwords are the most common authentication factor—if a user enters the correct password, the system assumes the identity is valid and grants access.

  • Other technologies such as One-Time Pins, authentication apps, and even biometrics can also be used to authenticate identity.

Authorization:

  • The function of specifying access rights/privileges to resources, which is related to security and to access control.

  • Authorization in system security is the process of giving the user permission to access a specific resource or function.

  • Giving someone permission to download a particular file on a server or providing individual users with administrative access to an application are good examples.

Extra Points:

In secure environments, authorization must always follow authentication—users should first prove that their identities are genuine before an organization’s administrators grant them access to the requested resources.

Nowadays for building login system,

  1. We can register user during signing up & later use that registered information (which is generally username & password) to authenticate user and provide authorized access to the resources.

  2. The other & most prominent method used nowadays is the OAuth or the OAuth 2.0 services.

OAuth

Basics of OAuth

  • An open standard for access delegation.

  • This is commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

  • OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

  • OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers.

For example, you can tell Facebook that it’s OK for ESPN.com to access your profile & post updates to your timeline without having to give ESPN your Facebook password.

OAuth is about authorization and not authentication.

OAuth 1.0 vs. OAuth 2.0:

  • OAuth 2.0 is a complete redesign from OAuth 1.0, and the two are not compatible. If you create a new application today, use OAuth 2.0.

  • OAuth 2.0 is faster and easier to implement.

  • OAuth 1.0 used complicated cryptographic requirements, only supported three flows, and did not scale.

  • OAuth 2.0, on the other hand, has six flows for different types of applications and requirements, and enables signed secrets over HTTPS. OAuth tokens no longer need to be encrypted on the endpoints in 2.0 since they are encrypted in transit.

OAuth Flows and Concepts

OAuth is not an API or a service: it’s an open standard for authorization and anyone can implement it.

More specifically, OAuth is a standard that apps can use to provide client applications with “secure delegated access”. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials.

Control Flow

Configure your application to get the Client ID and Client Secret. (From providers such as LinkedIn, Facebook, Twitter, GitHub, Google etc.)

The 3-legged OAuth Flow has the following steps:

  1. Your application directs the browser to Providers’s OAuth 2.0 authorization page where the member authenticates. After authentication, Provider’s authorization server passes an authorization code to your application.
  2. Your application sends this code to Provider and Provider returns an access token.
  3. Your application uses this token to call APIs on behalf of the member.

For more details and development intricacies: Check out my GitHub project: Auth-API

Integrating with oAuth Providers

One can integrate OAuth services of many service providers in the Website, API, Mobile Apps or Desktop Apps. Some notables one’s are:

  • Facebook
  • LinkedIn
  • Twitter
  • GitHub
  • Google

I have added all informations about their smooth integrations in a Backend API as my project wiki : Auth-API-Wiki

Twitter, Facebook