OAuth 2.0 framework – what, why and how

Data security is one of the most pressing problems of today. In the age of the Internet, we pay invoices online, buy online, pay for services, etc. We do not always understand and evaluate the security of the data provider well, we provide our personal data, as well as we use the same passwords when logging in to different systems. If one of the data providers does not provide security, there is a high probability that our personal data will fall into the hands of online fraudsters.

Another problem that has already been encountered by the end users of different systems and their creators is centralization of authorization. When designing various applications, it is necessary to ensure the protection of personal data each time, to implement user logon registration functions, which in practice is, in fact, a considerable challenge, which takes a lot of time.

OAuth2 successfully overcomes these problems by changing the operation of traditional systems.

However, what is OAuth 2.0 and how does it work?

OAuth2 is a framework that allows you to gain limited access without providing access to third-party resource servers. OAuth2 works with the HTTP protocol to transfer user authorization to the hands of authorization service providers (Facebook, Google, Amazon, OpenAM, etc.) that contain a user account and authorize third-party applications to access the user’s account. OAuth2 provides access to protected resources for web and desktop applications and mobile devices.

From the definition we can distinguish OAuth2 roles, which must be known for further explanation of how the system works.

Roles:

Resource Server – a web server that contains a set of resources that are protected by the OAuth2 Authorization System. An access token must be provided to obtain the resource.

• Resource owner – an entity that owns resources on a resource server and is able to provide access to protected resources when the resource owner is a person, end-user.
• Client – an application that uses resource owner permission to make secure resource requests. The term “client” does not imply any specific performance characteristics (eg, may be an application running on a server, desktop or other device).
• Authorization server – a web server that identifies the owner of the resource and issues access tokens after proper authorization. Authorization server providers: Facebook, Twitter, Google, Okta and others. The authorization server may also be your own.

OAuth2 operating principle

After getting to know the roles of OAuth2, we can understand how they interact with each other.

Chart explanation:

1. The resource owner (user) applies for the resource application.
2. The resource owner (user) is directed to the authentication server to authenticate and authorizes the application to connect to the user service resource.
3. If the application is authenticated and the authorization type is allowed, the authorization server (API) provides the access key and returns it to the application. Authorization complete.
4. The application requests the resource from the Resource Server (API) when providing the Access Key.
5. If the access token is valid, the Resource Server (API) returns the protected resource to the application. Access token validity can be verified on the resource server in two ways:
   • The resource server sends an access token to the authorization server for verification.
   • The resource server checks the access key itself.
   The actual operating principle of this process will vary depending on the authorization grant type used.

Since you already know what the OAuth system is and how it works, we’ll discuss more OAuth technical nuances in other records. Stay tuned.