What is OAuth?
Simply, OAuth is a framework for delegated authorization.
OAuth has 4 main roles.
·
Resource
Owner (User)
·
Client
Application (3rd party)
·
Resource
Server
·
Authorization
Server
OAuth describes five grants for acquiring an access token.
· Authorization code grant
· Implicit grant
· Resource owner credentials grant
· Client credentials grant
· Refresh token grant
We'll be focusing on Authorization code grant!
Scenario
John (Resource Owner/ User) has an account on Facebook but
not on ikman.lk. John wants to access ikman.lk but it requires the users to log
in or create a new account. But rather than creating a new account, John can
use the existing Facebook account to log in to ikman.lk by click on Login
with Facebook button. If the user clicks on it, ikman.lk needs the details
of John such as email and phone number since, John has no any account on
ikman.lk and ikman.lk has no idea on who is John. Therefore ikman.lk gets the
required information from Facebook account.
Simply, ikman.lk accesses the resource of John on Facebook
on behalf of the user. Which is provided by OAuth, the framework
for delegated authorization.
How it
works?
1. User clicks on login with Facebook
button.
2. Client requests email and phone
number of John from the Authorization Server of Facebook.
3. Authorization Server requests the
user to whether to give permission to access the resource of the user to the 3rd
party client app ikman.lk. (User consent page)
4. If the user grants the permission to
access the resources, client app will be provided with an Authorization Code.
5. The client app cannot get resources using
the authorization code received. It is just a flag to check whether the user is
permitted or not. The client has to provide the received authorization code to the
Authorization server to get an Access Token.
6. Authorization server provides the
access token consists of Scopes and a validity period. Optionally some
authorization servers provide a refresh token to get a new access token without
the interaction of user after the access token get expired.
7. Request the resources (email and
phone number) of the user by providing the access token.
8. Resource server validates the access
token by providing it to the authorization server. In this case Authorization
server checks the validity of the access token by,
·
The
validity period (Expired or not)
·
Checks
whether the token is already issued to another user.
·
Checks
the resources which are permitted. (Client app can request only the email and
phone number in this case)
Request denied if any of the above does not satisfied.
9. Authorization server informs the
resource server about the validity of the access token.
10. Resource server provides the resource
to the client application.
Important
points to consider!
For this to work, ikman.lk must be registered and approved with the Authorization Server of Facebook prior to the deployment, to get
·
A
Client ID for ikman.lk
·
A
Client Secret for ikman.lk (Should be protected and should not be disclosed)
·
Scopes
(Indicates which resources can be requested from the users)
·
Redirect
URI (Callback entry point of the app – The URI where the Facebook send
authorization code to) – Simply URI of Redirection Endpoint (Refer step
4 on Diagram)
The above should be provided to the authorization server to get an
Authorization Code. (Refer step 2 on Diagram)
Endpoints
·
Authorization
Endpoint
The authorization endpoint is the endpoint on the
authorization server where the resource owner logs in, and grants authorization
to the client application.
·
Token
Endpoint
The token endpoint is the endpoint on the authorization
server where the client application exchanges the authorization code, client ID
and client secret, for an access token.
·
Redirect
Endpoint
The redirect endpoint is the endpoint in the client
application where the resource owner is redirected to, after having granted
authorization at the authorization endpoint.
