OAuth is an authorization protocol which is an open-standard or framework which provides applications the ability for being able to secure designated access. And now, you may wonder how OAuth works? Here, we will inform you about it, so make sure to read this until the end.
How OAuth2 Works?
According to an article created by Dave Wallen on the Spanning site, here is how OAuth works. An OAuth access token transaction needs three players including the end user, the application (API) and the resource which is the service provider which has stored your privileged credentials. The transaction starts if the user expresses intent to access the API.
- Application asks permissions. The API or the application asks for authorization from the resource by providing the user’s verified identity as proof.
- Application requests access token. After the authorization has been authenticated, then the resource gives an access token to the API without having to divulge usernames and passwords.
- Application accesses resources. Tokens come with access permission for the API. These permissions are named scopes and each token will have an authorized scope for every API. The application can have access to the resource only to the extent which the scope allows.
Roger A. Grimes and Josh Fruhlinger in his article posted on the CSO site also explain about the work of OAuth. Here is the explanation according to them. We can assume that a user has signed into one site or service and then the user initiates a feature or transaction that needs to access another unrelated site or service.
- The first site will connect to the second site on behalf of the user by using OAuth which provides the verified identity of the user.
- Then, the second site produces a one-time token and a one-time secret unique to the transaction and parties involved.
- The first site will give this token and secret to the initiating user’s client software.
- The software of the client presents the request token and secret to their authorization provider which may or may not be the second site.
- If it is not already authenticated to the authorization provider, then the client may be asked to authenticate. After the authentication, the next thing that will happen is the client will be asked to approve the authorization transaction to the second site.
- Here, the user approves or their software silently approves a particular transaction type at the first site.
- After that, the user is given an approved access token. It is important for you to know that it is no longer a request token.
- The user gives the access token which is approved to the first site.
- Next, the first site gives the access token to the second site as proof of authentication on behalf of the user.
- The second site permits the first site to be able to access their site on behalf of the user.
- The user sees that there is a successfully completed transaction. OAuth is not the first authentication/ authorization system that works this way in the name of the end-user. In fact, there are a lot of authentication systems, notably Kerberos, work likewise. So, what is the special about OAuth? It is its ability to be able to work across the web and its wide adoption. It succeeded with adoption rates where previous trials failed.
What is OAuth?
Well, as explained earlier that OAuth is an open-standard authorization protocol or framework which provides applications the ability for secure designated access. Let’s take an example. You are able to tell Facebook that it is Ok for ESPN.com to be able to access your profile or post updates to your timeline without having to give ESPN your Facebook password. You need to know that it minimizes risk in a major way. In the event ESPN suffers a breach and your password of your Facebook will be safe.
It is important for you to know that OAuth does not share password data but it uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol which permits you to be able to approve one application interacting with another on your behalf without giving away your password.
The Difference Between OAuth 1.0 and OAuth 2.0
Now, there is OAuth 2.0. So, what are the differences to OAuth 1.0? Well, OAuth 2.0 is a complete redesign from OAuth 1.0 and the two are not compatible. In case you make a new application today, you are able to use OAuth 2.0. Then, OAuth 2.0 is faster and easier to apply. How about OAuth 1.0? It used complicated cryptographic requirements and it only supported three flows and did not scale.
On the other hand, OAuth 2.0 has six flows for different types of applications and requirements and it permits signed secret over HTTPS. OAuth tokens do not need to be encrypted on the endpoints anymore in 2.0 because they are encrypted in transit.
The Safety of OAuth
You may wonder whether OAuth is safe or not. According to the CSO site, TLS can provide all protections. However, it is up to the implementers, on all sides, to get it to be used. Users and coders need to look to ensure that OAuth is running inside of TLS protection. Developers are able to apply code to be able to enforce TLS use and users need to be aware that TLS is being used whenever they are asked to input authentication credentials.
Due to the lack of inherent security binding, it is possible for a rogue site to be able to pish a legitimate credential of the user during the part of the process where the user is being needed to authenticate themselves to the authorization provider. Let’s take an example. there is a user who is using the first service and selects a feature which forces an OAuth transaction to a second service. It is possible for the first site to fake the second site where the user authentication is taking place. Then the rough site is able to gather the authentication credentials of the user and react as if the OAuth transaction has taken place successfully.
On my daily job, I am a software engineer, programmer & computer technician. My passion is assembling PC hardware, studying Operating System and all things related to computers technology. I also love to make short films for YouTube as a producer. More at about me…