Morioh
Login
Barton Greenfelder

Barton Greenfelder

3 years ago

OAuth 2.0 is the industry standard protocol for authorization.

When I read the above sentence on the OAuth 2.0 homepage I felt like this is the kind of knowledge that I should have in order to call myself a software engineer, so I started digging. I remember that I felt a little bit scared that I will have to break through a lot of knowledge that is difficult to learn, but it turned out alright, and I’ve decided to share what I’ve learned!

What you’ll get from this article:

  • How OAuth 2.0 works
  • How an application gets an access token
  • How SPA and web server applications deal with OAuth
  • Types of access token and their validation

Image for post

How OAuth 2.0 works

First of all, if you are like me, the official specifications are not always the best place to get a bigger picture of how OAuth works, as almost immediately you may overwhelmed by the amount of information (because it’s not one specification but a lot of them). To understand how OAuth works, let’s ask questions.

What problem does OAuth solve?

Let’s take for example an application where we want to see a user’s daily schedule, assuming that our user has a Google account with some data to get from calendar — but how we can ask the user for this data whilst considering security? That’s the moment where OAuth comes to play, but what is important is: OAuth doesn’t tell the application who you are, it just gives the application access to data which it asks for!

How does OAuth solve it?

The simple answer is, by giving an access token which allows your client application to get the data it needs from a resource server. I would like to describe an analogy which helped me a lot to understand this:

Let’s assume you work for a bigger company where you have to use an access card to get in. This card has been given to you on the first day of work with proper permissions by a person which knows that you are a new employee. After that first day you use this card to get into the company and nobody checks your identity anymore, you just put your access card to the reader and the door will open. Furthermore, you cannot open all doors but just this one which allows you to do your everyday job tasks. OAuth is based on this kind of flow.

Conclusions:

  • You are verified on the first day and receive an access card which you can use every day
  • Every reader opens the door for you (if access to this area has been granted to you)
  • The reader doesn’t know _anything _about your identity, the only thing that is important for the reader is if you have a valid access card in your hand.

#security #oauth #token #software-engineering #programming

What every software engineer should know about OAuth 2.0

medium.com

What every software engineer should know about OAuth 2.0

OAuth 2.0 is the industry standard protocol for authorization, i remember that I felt a little bit scared that I will have to break through a lot of knowledge that is difficult to learn, but it turned out alright, and I’ve decided to share what I’ve learned!

1.05 GEEK