Member-only story
Do you know about OAuth2 Protocol and its different flows?
Hello everyone. In this article, we are going to see about the OAuth2 protocol, the terminologies, and the different flows of OAuth2. Toward the end of this article, we will be looking at using OAuth2 along with the OIDC framework for Authentication.
Please read the below article if you want to understand the Single-Sign-on and differences between SAML, OAuth2, and OIDC
What is OAuth2?
OAuth2 (Open Authorization) is an Authorization Protocol that allows a website or an application to access resources hosted by other web applications on behalf of a user. OAuth2 is now the industry standard and it replaced OAuth 1.0 in 2012. Using OAuth2, we can develop applications to access resources on behalf of users without getting their credentials.
OAuth2 uses Access tokens to access the resources on behalf of users. Even though there is no specific format defined for the tokens used, JWT is the most widely used token mechanism with OAuth2. The Access token contains the authorization information to access the resources on behalf of users
The tokens have scopes to limit the amount of access granted to that token. Let us look at a sample access token as shown below.
{
"scope" : "READ",
"client_id" : "eTtB7w5lvk3DnOZNGReBlvGvIAeAywun",
"access_token" : "ODm47ris5AlEty8TDc1itwYPe5MW",
"token_type" : "Bearer"
}In the token above, the scope for this token is provided as READ to this client_id. If we use this token to call an API endpoint that needs WRITE access, then this API call will fail.
OAuth2 Terminologies
- Resource Owner: The user who authorizes an application to access their account on-behalf. Eg: Allow the Bitbucket application to important users contact from Gmail. The user will mention the access to the application. Eg: The user allows only Read Access for bitbucket to access the user's Google account.
