Frequently asked OAuth2 Interview Questions (2020)






Most Frequently asked OAuth 2 Interview Questions (2020)

In this post, questions of OAuth Interviews will be answered for Experienced and Freshers. We're trying to share our experience and learn how to help you make progress in your career.

Spring Boot Security Interview Questions:

  1. Spring Security Interview Questions
  2. OAuth2.0 Interview Questions
  3. JWT Interview Questions
  4. SAML Interview Questions

Q: What is OAuth?
Ans:

OAuth (Open Authorization) is an open standard for token-based authentication and authorization. OAuth, allows third-party services, such as Facebook, to use account information from an end-user without exposing the user's password.

Q: What is OAuth 1.0?
Ans:

OAuth 1.0 addressed delegation with a framework based on digital signatures in December 2007. It was secure and it was strong. However, OAuth 1.0 required crypto-implementation and crypto-interoperability. Although safe, implementing this has been a challenge for many developers. Then arrived OAuth 2.0 in October 2012. NoteThis specification was obsoleted by OAuth Core 1.0 Revision A on June 24th, 2009 to address a session fixation attack.

Q: What is OAuth 2.0?
Ans:

OAuth 2.0 released in October 2012 to overcome the problem as specified above in OAuth 1.0. The OAuth 2.0 authorization framework allows a third-party application to gain limited access to an HTTP service, either on behalf of a resource owner by orchestration of an approval agreement between the resource owner and the HTTP service, or by requiring the third-party application to obtain access on its own behalf.

Q: What is difference between OAuth1.0 vs OAuth2.0?
Ans:

OAuth 2.0 is not backwards compatible with OAuth 1.0 or 1.1. OAuth1.0 vs OAuth2.0

Q: What is OAuth2 grant type?
Ans:

An grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
This specification defines four grant types:

  1. Authorization Code
  2. Implicit
  3. Resource Owner Password Credentials
  4. Client Credentials

Q: What is Resource Owner Password Credentials? How to implement Resource Owner Password Credentials?
Ans:

The Password grant type is a way to exchange a user's username and password for an access token. Since the client application has to collect the user's password and send it to the authorization server.

Password Grant Type Flow

The flow shown in above Figure includes the following steps:

  1. The resource owner provides the client application with it's username and password.
  2. The Client Application requests an access token from the Authorization Server by passing credentials received from the resource owner.
  3. The Authorization Server authenticates the client by validating the resource owner credentials. Once Validation is successful and if request is valid, it sends an access token.
  4. Client sends the received access token to Resource Server to access the resource end point.
  5. Resource Server validates the access token by calling Authorization Server.
  6. If the token is valid, resource server return the requested resource to Client.
Refer Password Grant Type Example for implementation.

Checkout our related posts :

Q: What is Client Credentials Grant Type? How to implement Client Credentials Grant Type?
Ans:

With the Client Credentials grant type, an app sends its own credentials (the Client ID and Client Secret) to Authorization Server to generate an access token. If the credentials are valid, Authorization Server will return an access token to the client app.
Client Credentials grant type flow occurs mainly between a client app and the authorization server. An end user does not participate or contribute in this grant type flow.

To understand client credentials grant, consider Trivago app, a hotel aggregator portal which will act as a client application. In order to access or get data from makemytrip.com, Trivago Server will authenticate itself by calling makemytrip's authorization server to get access token and then using this token access the makemytrip resource server to get the search result.

Client Credentials Grant Type Flow

The flow shown in above Figure includes the following steps:

  1. The Client Application requests an access token from the Authorization Server by passing it's credentials.
  2. The Authorization Server authenticates the client by validating the client_id and client_secret. Once Validation is successful and if request is valid, it sends an access token.
  3. Client Application sends the received access token to Resource Server to access the resource end point.
  4. Resource Server validates the access token by calling Authorization Server.
  5. If the token is valid, resource server return the requested resource to Client Application.

Refer Client Credentials Grant Type Example for implementation.

Q: How to implement OAuth with Google Authorization?
Ans:

Refer OAuth2 - Google Authorization Server for implementation of external Authorization Server.

Q: What is client_id (client identifier) in OAuth?
Ans:

Once you sign in via Google, Stackoverflow is required to register on Google, the Google service must issue client credentials in the form of a client identifier and a client secret. The Client Id is a publicly exposed string that is used by the service API to identify the application, and is also used to build authorization URLs that are provided to users.

Refer OAuth2.0 Introduction for more information.


Q: What are the benefits of using OAuth default access token vs JWT as OAuth access token?
Ans:

Refer Advantage of JWT as OAuth Access Token Vs OAuth Default Token .

Q: What is Token-Based Authentication?
Ans:

Token-based authentication allows users to validate their identity, and in return user receive a unique access token to access resource. Once the user is logs out from the app, the token is invalidated. It is considered to be secured way of authentication.





















































































Recommendation for Top Popular Post :