How OAuth 2 works ?
What is OAuth 2.0?
It is a protocol for Authorization.
The client (web app, mobile client, etc) will fetch info about a user from a resource owner using access token provided by a resource authorization server upon successful consent/approval from resource owner or the user.
Here, there are 4 main players:
-
Resource Owner: An entity capable of granting access to a protected resource. In our case, it will be the end user.
-
Resource server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens provided by client which is received upon successful consent from user.
-
Client: Application which is querying resource server for specific resources about user. User interacts with this service.
-
Authorization Server: The server which issues access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
OAuth 2.0 Flow
1. User interacts with Client and upon requesting of any resource type (user can sign in, request to access photos, etc), client will make a call to that resourse type owner Auth server. The Client will provide following info to Auth server:
- Client id: for identification purpose
- Callback URL / Redirect URL: URL at which Auth server will redirect the state with a access token. Callback URL view/controller is hosted by Client only.
- Scope: what info does the client wants from resource server
2. User will be shown a consent screen where she/he needs to sign in using auth creds on specific resource type auth page.
3. Upon sucessfull authorisation, Auth service will redirect the flow to callback URL view with "Access token".
4. The above token now can be used by client to request resources from Resource server (according to scope passed in 1st step). This access token can expire for different cases such as:
- User changes his/her Auth creds
- Token is old and expired
- Someone revoked our Client to access Resource server
5. This is the overall flow for OAuth 2.0 Authorisation protocol
References
Hope you find this post useful. Please provide feedback for the same.
Thank you.