What is OAuth 2.0 and how it works?
Open Authorization ( known as OAuth 2.0 ) has become an authorization protocol on many websites and applications. You have probably used OAuth 2.0 without even realizing it. For instance, when you give a website permission to access your Facebook information by doing a login, you’re using open authorization. This protocol is useful because it allows you to share a limited amount of information with the third-party site, rather than give them full control over your account with your login credentials.
Authentication (Single-sign-on) vs Authorization (OAuth 2.0)
A common misconception about OAuth 2.0 is that this process also verifies the user’s identity, otherwise known as authentication. As a result, OAuth often gets confused with single-sign-on (SSO) authentication. While the two processes are very similar and even share some basic characteristics, they have one key distinction: SSO authenticates users whereas OAuth 2.0 authorizes users.
To better understand the difference, let’s see what authentication and authorization mean:
- Authentication is the process of verifying a user’s identity. When users enter their username and password (or use passwordless credentials), the website uses this information to confirm that the person is the intended user by comparing it against a secure database of user credentials.
- Authorization takes place after a user has been authenticated. This is when the system checks to see what permissions the user has. A user’s permissions dictate what the person sees and what actions they can take on the website once you’ve confirmed that they are who they say they are.
In other words, Authentication asks the user, “who are you?” while authorization asks, “what are you allowed to do?” Thus, there is no authorization without authentication. However, only authentication is not enough to secure accounts and provide specific permissions, thus the two processes work hand-in-hand.
What is OAuth 2.0 exactly?
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. OAuth 2.0 is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. It is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.”. This mechanism is used by companies such as Amazon, Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.
Facebook apps are a good OAuth 2.0 use case example. Say you’re using an app on Facebook, and it asks you to share your profile and pictures. Facebook is, in this case, the service provider: it has your login data and your pictures. The app is the consumer, and as the user, you want to use the app to do something with your pictures. You specifically gave this app access to your pictures, which OAuth 2.0 is managing in the background. For example, you can tell Facebook that it’s OK for ESPN to access your profile or post updates to your timeline without having to give ESPN your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a breach, your Facebook password remains safe.
Smart home devices are another good example. For example a fridge, thermostat, security system, etc. – use login data to sync with each other and allow you to administer them from a client device. These devices use what OAuth 2.0 calls confidential authorization. That means they hold onto the secret key information, so you don’t have to log in over and over again.
The common analogy we have seen used while researching OAuth 2.0 is the valet key to your car. The valet key allows the valet to start and move the car but doesn’t give them access to the trunk or the glove box.
OAuth 2.0 Roles
An OAuth 2.0 has the following roles:
- Resource Owner: Entity that can grant access to a protected resource. Typically, this is the end-user.
- Resource Server: Server hosting the protected resources. This is the API you want to access.
- Client: Application requesting access to a protected resource on behalf of the Resource Owner.
- Authorization Server: Server that authenticates the Resource Owner and issues access tokens after getting proper authorization. In this case, VYou.
How does it work? Examples
The most common example of OAuth 2.0 is when you go to log onto a website and it offers one or more opportunities to log on using another website’s/service’s logon. You then click on the button linked to the other website, the other website authenticates you, and the website you were originally connecting to logs you on itself afterward using permission gained from the second website.
You can think of this like hotel key cards, but for apps. If you have a hotel key card, you can get access to your room. How do you get a hotel key card? You have to do an authentication process at the front desk to get it. After authenticating and obtaining the key card, you can access resources across the hotel.
I hope you found this post useful! And if you need any help with CIAM development, let us know, we have solutions that might speed up time to market and decrease development costs.