With the advent of a large number of web services, it became necessary to provide resources from one service to another. The very first implemented solution was for the user to provide a login and password to service A so that it could receive data from service B. However, this solution has the following number of problems and limitations:
Thus, to solve the problems indicated above, the OAuth specification was proposed, by implementing which it becomes possible for a third-party service to securely obtain limited access to the resources of another.
NoteThe article is of a purely informative nature, and does not pursue the goal of presenting the material on the topic in as much detail as possible - there is documentation for this. It should be mentioned that the article appeared due to the study of this issue by the author himself. If you do not know what OAuth is, then below is the material that I tried to summarize and present in an accessible form.
There are two versions of the specification: OAuth 1.0 and OAuth 2.0 , which, by the way, are backward incompatible. The first version was published in 2007, and is a document with recommendations for delegating resources to a third-party service without disclosing the username and password, while the second version (2012) is already an Internet standard, takes into account the shortcomings of the first version, and expands possible scenarios usage (selective access to resources, 4 types of authorization, use of native applications, refresh token, etc.). When they talk about OAuth, they usually mean the second version, since it is most often used, and we will talk about it in more detail below.
The OAuth 2.0 specification distinguishes the following roles:
Let’s consider the work of OAuth from the point of view of the Client as with the most frequent use case for developers, and the details of the implementation of the Authorization Server are already documented.
#статьи #api #golang