What is Oauth2?
OAuth 2.0 (Open Authorization 2.0) is an authentication and authorization protocol, used in online services and applications to securely access user data.
In simple words, when you enter any website or application, some buttons are shown to you, (Login with Facebook) and (Login with Google). If you click the buttons, Your login credentials are not directly shared with the third-party service, but a temporary access token is generated, which verifies your identity to use that service.
Namely, no external service can access user data without the user’s consent. Your process is user-friendly and maintains security as well. It is used in many popular online platforms, APIs, and applications such as Google, Facebook, Twitter, etc.
Oauth Flow:
OAuth’s flow is similar to when you visit a website for the first time, and see a “Login With Google” button. Behind the scenes, OAuth is used for this. When a user clicks on “Log in with Google,” they are redirected to Google’s servers with the client ID and client secret. After granting access, a code is generated, which is sent back to the application’s callback URL. Once the code is received, the application requests to exchange it for an access token. This token allows the third-party application secure access to the user’s information. The entire process happens seamlessly for the user while multiple requests occur in the backend.
Now, let’s look at a simple Google OAuth URL, for example: https://accounts.google.com/o/oauth2/v2/auth
This URL structure is common for various social media platforms using OAuth. The parameters, such as client_id, redirect_uri, response_type, scope, access_type, and state, are part of the OAuth flow.
Client_id: The client_id is obtained by creating an app in the developer’s account.
Redirect_uri: Redirect_uri is where the user returns after granting access.
Response_type: Response_type is the code generated during the process.
Scope: Scope defines the requested permissions.
Access_type: Access_type is optional, determining if the access is one-time or long-term.
State is an optional but recommended parameter used for security to prevent attacks.
For More Details Read Google Official Docs :
https://developers.google.com/identity/protocols/oauth2/web-server#creatingclient
OAuth 2 Rules
Understanding the principles of Oath can be easier if you focus on some basic principles
User Consent:
This means that when you log into an application and it tells you that you can use it to access a world service, it gives you a choice before sharing your data. is found You have to decide whether you allow access or not. If you agree, you get limited access to our application, which is temporary and used for specific tasks.
Access Token:
When you grant access to an application, you receive a temporary access token. Your access token checks your account and gives limited access to the application, allowing it to perform certain tasks. After giving access to the application you can remove it from your Google Account settings. (In simple words, an access token is created for the user to access his data with a secure method)
Client:
“Client” is a software application that wishes to access User Data. According to the OAuth 2.0 protocol, your application asks the user for permission and, if the user grants permission, issues a temporary access token. This token allows the client to access the user’s data, but without exposing the user’s Real credentials. With Do Dark, the user’s privacy and security are maintained, and the client is authorized for specific tasks.
Resource Owner:
It is the individual who wishes to protect their personal information, and therefore consent is required before sharing their data.
Authorization Server:
This server is the one that authenticates the user and provides him with an access token. These are also called “authorization servers”.
Resource Server:
This server is where your all data is stored. With the help of an access token, you confirm to the server what level of access the client (application) should have.
Redirect URI:
When you complete your verification, you are returned. You have to change the “Redirect URI” to the original application as you use it.
What is the difference between OAuth 1.0 and OAuth 2.0?
The main differences between OAuth 1.0 and OAuth 2.0 are as follows:
Authentication: OAuth 1.0 requires the client application to sign each request using cryptographic signatures, which adds complexity to the implementation. OAuth 2.0, on the other hand, simplifies the protocol by using SSL/TLS for secure communication and relying on access tokens for authorization 12.
Roles: OAuth 1.0 has a consumer, service provider, and user, and it doesn’t explicitly separate the roles of the resource server and authorization server. On the other hand, OAuth 2.0 has a client, authorization server, resource server, and resource owner 3.
Security: OAuth 1.0 is based on digital signatures, which are used to prove the integrity and authenticity of a message. Digital signatures can ensure that a certain message was sent from a specific source and that the message and signature were not tampered with in any way. A signed message is tied to its origin. It cannot be tampered with or copied to another source, but client-side implementations can be especially complex. OAuth 2.0 is much more flexible and easier to implement than OAuth 1.0, but it contains many compromises at security level 1.
Scope: OAuth 2.0 is designed to provide specific authorization flows for web applications, desktop applications, mobile phones, and living room devices while focusing on client developer simplicity 1. OAuth 1.0, on the other hand, was designed for web applications only 1.
Oauth Full Form?
OAuth stands for Open Authorization. It is an open standard protocol that allows unrelated servers and services to safely grant authenticated access to their assets without sharing the initial, related, single logon credential. In other words, it enables users to grant third-party applications access to their information on other websites without giving them their passwords.
No Comments
Leave a comment Cancel