An Introduction to OAuth 2.0
OAuth 2.0 is an open standard for authorization, published as RFC 6749 and RFC 6750 in October 2012.
OAuth 2.0 enables a third-party application (client) to obtain limited access (via an access token) to an HTTP service (resource), either on behalf of an end-user (resource owner) or by allowing the application to obtain access on its own behalf. This specification replaces and obsoletes the OAuth 1.0 protocol.
Roles
OAuth defines four roles:
- resource owner (eg. the end-user)
- resource server (the server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens)
- client (the application making protected resource requests on behalf of the resource owner)
- authorization server (the server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization)
Obtaining Authorization
To request an access token, the client obtains authorization from the resource owner. The authorization is expressed in the form of an authorization grant, which the client uses to request the access token.
OAuth defines four grant types (plus and extension mechanism for defining additional grant types):
- authorization code
- resource owner password credentials
- client credentials
- implicit
The authorization code grant is the most used type, for apps running on a web server, browser-based and mobile apps. For other use cases, see here a decision tree about which flow to use.
The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for confidential clients. Since this is a redirection-based flow, the client must be capable of interacting with the resource owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the authorization server.
OpenID Connect
OAuth 2.0 describes patterns for granting authorization but does not define how to actually perform authentication. One interesting and useful extension of OAuth 2.0 is the OpenID Connect protocol.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.