OAuth 2.0 Part 1
OAuth 2.0 stands for "Open Authorization 2.0".
OAuth 2.0 is an authorization protocol and NOT an authentication protocol.
It is designed primarily as a means of granting access to a set of resources, for example, remote APIs or user data.
OAuth 2.0 uses Access Tokens.
An Access Token is a piece of data that represents the authorization to access resources on behalf of the end-user.
OAuth 2.0 doesn’t define a specific format for Access Tokens.
However, in some contexts, the JSON Web Token (JWT) format is often used. This enables token issuers to include data in the token itself. Also, for security reasons, Access Tokens may have an expiration date.
Refresh Token is used to obtain a new access token when the current one expires. (it is optional which means some Authorization server may issue a refresh token)
There are 4 roles in OAuth 2.0.
Resource Owner: The user or entity that owns the resource (e.g., their data or account).
Resource Server: The server hosting the resource (e.g., an API that serves user data).
Client Application: The application requesting access to the resource on behalf of the user.
Authorization Server: The server that authenticates the resource owner and issues access tokens to the client.
How does OAuth 2.0 works
The application requests authorization from the user to access service resources.
If the user authorizes the request, the application receives an authorization grant.
The application then requests an access token from the authorization server (API) by presenting its own identity for authentication along with the authorization grant.
If the application’s identity is authenticated and the authorization grant is valid, the authorization server (API) issues an access token to the application, completing the authorization process.
The application requests the resource from the resource server (API) and presents the access token for authentication.
If the access token is valid, the resource server (API) provides the resource to the application.
Comments