OAuth 2 Introduction
Spring Boot Security - OAuth 2 Tutorial :
What is OAuth?
OAuth (Open Authorization) is an open standard for token-based authentication and authorization. OAuth, allows third-party services, such as Facebook, to use account information from an end-user without exposing the user's password.
What is OAuth 1.0?
OAuth 1.0 addressed delegation with a framework based on digital signatures in December 2007. It was secure and it was strong. However, OAuth 1.0 required crypto-implementation and crypto-interoperability. Although safe, implementing this has been a challenge
for many developers. Then arrived OAuth 2.0 in October 2012.
NoteThis specification was obsoleted by OAuth Core 1.0 Revision A on June 24th, 2009 to address a
session fixation attack.
Use RFC 6749: The OAuth 2.0 Authorization Framework instead of OAuth 1.0 specification.
What is OAuth 2.0?
As mentioned above, OAuth 2.0 released in October 2012 to overcome the problem as specified above in OAuth 1.0. The OAuth 2.0 authorization framework allows a third-party application to gain limited access to an HTTP service, either on behalf of a resource owner by orchestration of an approval agreement between the resource owner and the HTTP service, or by requiring the third-party application to obtain access on its own behalf.
What is difference between OAuth1.0 vs OAuth2.0?
OAuth 2.0 is not backwards compatible with OAuth 1.0 or 1.1. OAuth1.0 vs OAuth2.0
OAuth Flow Overview
To understand OAuth Flow, will take the example of Stackoverflow.com. For new user, you have to signup or can sign in using Google OR Facebook account. By doing so, you are authorizing Google OR Facebook to allow Stackoverflow to access your profile info. This authorizing is done using OAuth.
What is client_id (client identifier) in OAuth: Once you sign in via Google, Stackoverflow is required to register on Google, the Google service must issue client credentials in the form of a client identifier and a client secret. The Client Id is a publicly exposed string that is used by the service API to identify the application, and is also used to build authorization URLs that are provided to users.
- Go to Stackoverflow.com home page and click on "Login".
- Click on "Log in with Google".
- You can see
client_id=in the url, as mentioned Client Id will be exposed to user, however secret will not be exposed. Now enter your email id and click on Next.
client_id=is still there, now provide password and click on Next.
- You are logging into Stackoverflow successfully.
OAuth 2.0 FlowWe have taken example of Stackflow as shown in diagram, we have 3 actors:
- Resource Owner: This is the user who wants to sign up using Stackflow.
- Client Application: This will be Stackflow.com.
- Resource Server: This will be Gmail or Facebook.
- Authorization Server: The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application.
Above diagram, demonstrates the relationship between the four functions in the overview OAuth 2.0 flow and includes the following steps:
- The client requests permission/authorization from the resource owner. The request for authorization may be made directly to the owner of the resource (as shown) or preferably indirectly as an intermediary through the authorization server.
- The client is given an authorization grant that represents the authorization of the resource owner by means of one of the four types of grants specified in the present specification or by using the type of extension grant.
- By authenticating the authorization server and sending the authorization grant the client asks an access tokens.
- The authorization server authenticate the client and verify the authorization grant and issue an access token if valid.
- The client requests the protected resource from the resource server and authenticates by presenting the access token.
- The resource server validates the access token, and if valid, serves the request.
Authorization Grant Types
An grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.
This specification defines four grant types:
- Authorization Code
- Resource Owner Password Credentials
- Client Credentials