OAuth 2

• Authorization Framework or Open standard for Authorization.
• Delegation protocol, letting someone who controls a resource allow a software application to access that resource on their behalf without impersonating them.
• OAuth enables clients ( third party applications ) to have scoped access to protected resource on resource owner’s behalf without knowing or storing resource owner’s (end-user’s) credentials.
• Let one app access your data in another app without giving your password.

Authentication vs Authorization

• Authentication : Process of validating that users are whom they claim to be.
• Authorization : Process of giving the user permission to access a specific resource or function.

Actors

• Resource Owner
• Client (Application)
• Resource Server
• Authorization Server

Token Type

• Access Token
  • Uses to access the Resource Server.
  • Meant to be short-lived
• Refresh Token
  • Use for get a new access token

Token Format

• JWT, https://github.com/MacKittipat/note-developer/wiki/JWT

OAuth Flow

• Authorization Code Flow

  • Example, Server-side web app.
  • https://www.oauth.com/oauth2-servers/access-tokens/authorization-code-request/
  • https://developer.okta.com/blog/2018/04/10/oauth-authorization-code-grant-type
  • https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
  • https://www.youtube.com/watch?v=rTzlF-U9Y6Y

• Authorization Code Flow + PKCE (Proof Key for Code Exchange, Pixy)

  • Example, Client-side web app, Mobile app.
  • Same as normal Authorization Code Flow but not require Client Secret.
  • Use code_verifier and code_challenge instead of client_secret.
  • https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce

• Client Credential Flow

  • Example, Server to Server.
  • Client is also the Resource Owner. No end-user authorization is needed.
  • Client holds the Client ID and Client Secret and uses them to get an Access Token from the Authorization Server.
  • https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/
  • https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow

• Implicit Flow (Legacy)

  • Example, Single Page Application.
  • Cannot store Client Secret.
  • Similar to Authorization Code Flow but Access Token is returned immediately without an extra authorization code exchange step.
    • App redirect to Authorization server for user to login. If login success then return token back to App in the URL
    • Since the implicit flow returns tokens directly in browser URLs, it is no longer recommended as a best practice.
  • https://www.oauth.com/oauth2-servers/single-page-apps/#implicit

• Resource Owner Password Flow (Legacy)

  • Example, Trusted clients, Desktop application.
  • Resource Owner enter credential into Client and it will be sent to Authorization server to get the token.
  • https://www.oauth.com/oauth2-servers/access-tokens/password-grant/

Reference

• https://connect2id.com/learn/oauth-2
• https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth
• https://auth0.com/docs/authorization/which-oauth-2-0-flow-should-i-use
• https://alexbilbie.com/guide-to-oauth-2-grants/
• https://medium.com/@darutk/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
• https://aaronparecki.com/oauth-2-simplified/#web-server-apps
• https://medium.com/javarevisited/oauth-2-0-basics-b732e857cb25

Sample implementation

• https://github.com/MacKittipat/mac-boot-oauth2