So as we all know, authentication and authorization are important aspects of any application. First of all, we want the users to be authenticated i.e. confirming that the users are who they say they are. Then, authorize them i.e. to enable them access to only the resources they are allowed to use and not others.
Suppose you are working in a company which has different departments like IT, Sales, Management and so on and as a developer, you will be working in IT department so your ID card becomes something that you will use to enter the company as an employee this is termed as authentication and since you are an IT guy so you should only be allowed to access the IT department that will be authorized. OAuth is used for authorization whereas there is another protocol which lies on top of OAuth and called as OpenID connect which is used for authentication purpose.
In this blog, I will be talking about what is OAuth, the importance of OAuth, and various OAuth flows.
OAuth as said it is used for authorization purposes. Suppose someday you visit a website that suggests jokes to you, and you want to share these jokes with your friends so one option is to type everyone’s email. You want to send them this website or connect this website to your Gmail account and let this website access your contacts. However, you can’t trust this website so you cannot give it your email and password.
This is where OAuth comes into the picture. Rather than giving your website this email and password, you get redirected to the website (Gmail) and you log in to that website and then give your client (jokes website) access to just your contacts and nothing else.
There are some terminologies used in OAuth that I will be discussing as I discuss the flow of OAuth next.
Resource Owner: This is the user who has an account in the authorization server and will log in to the authorization server to give access to the client application for accessing resources.
Authorization server: This is the server responsible for authorizing the user and checking if the user is who he claims to be.
Resource server: This is the server where the resources are located which the client wants to access.
Client: This is the application to whom the user grants permission to access resources from the resource server on behalf of him.
Let’s take the example of a food ordering system in which a user wants to link an Amazon pay wallet with Swiggy (food ordering app). Here, Swiggy is the client, you are the user, and Amazon is both the authorization and resource server:
Steps of OAuth:
1. The client redirects the user to the authorization server website for linking his wallet with Swiggy.
2. The user enters his email and password and then this data is sent to amazon for checking if the user is present in its database or not.
3. Once the authorization server verifies the identity of the user then it asks the user if he wants to give Swiggy the access to amazon pay wallet.
4. Once the user's consent is given then the user is redirected back to Swiggy and his Amazon pay wallet is linked with Swiggy. So here. instead of giving Swiggy my email and password of Amazon, I was redirected to amazon’s website and I directly provided my credentials there.
Now as you saw in the above example, that after signing in to Amazon, the user gets redirected to Swiggy. At this time, a token is generated by Amazon and passed on to Swiggy. This token contains all the information as if the user is authorized or not. It also contains the kind of resources the client (Swiggy) has been given access to, the expiry time of this token, and so on. So in order to get this token, there are different ways, some of them are discussed below:
1. Authorization code grant:
This is the most widely used type of flow in OAuth and it is explained in the example above.
2. Refresh token grant:
So suppose you have a use case that requires that the user does not have to log in again and again. So in this case, along with the authorization code, the authorization server (Amazon) sends a refresh token, this refresh token can be used to refresh the authorization token so that user does not have to login again to get the authorization code.
3. Client credentials grant:
This is used when the Resource owner and client have a trustworthy relationship between them. In this case, the Resource owner gives his credentials to the client and then trusts the client to log in to the authorization server on his behalf and get the resources that he needs.
This was a basic introduction to what OAuth is and what kind of problems it solves but it does not give any details about the user. So if you have a use case where you want user's information then you can use OpenID connect. This is a protocol that lies on top of OAuth and helps the client to get information about the user.
Remember OAuth can work independently but OpenID cannot, OpenID can only be used when OAuth is already present.