A Quick Glance at OAuth 2.0

Have you ever wonder how could we able to sign in to some applications using our Facebook or Twitter or Google+ account?

These all miracles happen after the introduction of OAuth 2.0 framework. I got chance to know the underlying things of OAuth 2.o when I started working as an Intern at WSO2 Identity and Access Management team.

Now, Are you all interested in knowing what is OAuth 2.0 and How does that function?

What is OAuth 2.0?

In simple words, we can tell OAuth allows third party application to use some of your protected resources on a resource server without giving your user name and password to the third party. From this we could able to protect our credentials in a highly secured manner.

Think, I have accounts in 10 websites like Medium, blogger,….. and so on and how it will be difficult for me to remember all these passwords !How terrible this one .. But OAuth 2.0 simplifies our task. As I already told, there is no need to create accounts in each websites separately. We can use some of our accounts like Facebook or Twitter or other Identity providers and login to other websites. Now you don’t need to remember passwords of all those sites. But before 7 years this is not the case.You have to remember all of your passwords.

Do you want to know how does OAuth function?

First understand some keywords related to OAuth.

• resource owner -An entity capable of granting access to a protected resource. It can be a person. (eg. end-user)
• client/service provider -An application making protected resource requests on behalf of the resource owner and with its authorization. (eg- a third party app)
• resource server -The server hosting the protected resources (eg- Facebook, Twitter, google+)
• authorization sever -The server authenticating the resource owner and obtaining authorization (eg- Facebook, Twitter, Google, Identity server of WSO2)

So in this flow, four parties involve.

• In some instances, both authorization server and resource server can be same.

source: slideshare

This is a basic flow of OAuth 2.0 and we will try to understand how this function using an example scenario.

Do you know what exactly happens when you are sharing a youtube video on Facebook? Have you ever thought that it is secured or not?

Due to the introduction of OAuth 2.0, all these stuffs become secured. Your Facebook credentials will not be shared by FaceBook to third party apps.

Now we will see what exactly happens.

• You watch a video on YouTube and you want to share that on your Facebook wall. Here,You are the resource owner, YouTube is the client/service provider , Facebook is the resource server and authorization sever.
• To get the services from those social-medias, initially Youtube should register itself in the Facebook and receive its client-id and client-secret from authorization server. when they register, they should give some client properties such as ,

callback-url/redirection endpoint- used by the authorization server to return responses containing authorization credentials to the client via
the resource owner user-agent (see OAuth 2.0 Authorization specification section 3).

other information required by authorization server (e.g., application name, website, description, logo image, the
acceptance of legal terms).

After client registration,clients will be issued with client credentials used for authenticating with the authorization server.

client-id- The authorization server issues the registered client a client
identifier — a unique string representing the registration
information provided to the client (see OAuth 2.0 Authorization specification section 2.2).

client-secret- password ( OAuth 2.0 Authorization specification section 2.3.1).

• When you are clicking share button, you will get a list of social medias. They are the resource servers as well as authorization server.

1. You want to share that on Facebook. So YouTube needs your credentials to access your Facebook account. Will you give your password to YouTube? Sometimes they may save your credentials! It is not secured to give to a third party. Before some years, this was the situation. You need to give your password to a third party. But OAuth solved those security issues. when you click Facebook button, client will send its client-id, scope (the type of access eg. read-only, write-only), authorization URL (URL to authorize the resource owner) and callback-URL (After authorizing the end-user by authorization server, server should redirect to this URL).
2. After Facebook validate the credentials of YouTube, Facebook needs user authentication. You will be redirected to Facebook login page, if you are not logged in. You should login to Facebook and Facebook won’t share your credentials with a third party.Then you will get a consent window , that “ YouTube wants to access your profile. Do you really want to share?” still there is a chance for you to deny YouTube from getting your profile details.
3. If you say Approve, then Facebook (Authorization server) will send a authorization code to YouTube (Client).
4. As client-id is public, any fake app can get YouTube’s client-id and get the authorization code. To ensure security, YouTube should send its client-id, client-secret and authorization code to Facebook again after getting authorization code. As the client-secret is private only to YouTube, others can’t get that.
5. Facebook (Authorization server) will validate and will send a access token to YouTube.
6. After getting access token, YouTube will request Facebook(Resource owner) to post on the user’s Facebook wall by sending the access token in authorization header.
7. Now YouTube can access your Facebook account without knowing your password.

• This access token will automatically expire after some time. If the application needs to access your Facebook account continuously, they can request for refresh token. This has a long expiry time. If you want you can revoke the third-party app from accessing your profile at any time. Now your Facebook account is secured!

Learn, Code! :)