OAuth 2.0 is an authorization protocol which applications can use for accessing each other data. A more common scenario which you all have seen is to login into a website using your Facebook or Google account. In this article we will understand OAuth 2.0 protocol which is release in Oct 2012. It is much simpler than its previous version 1.0, as 1.0 involve certificate which is removed from 2.0. OAuth protocol will have following participants
- Resource Owner
- Resource Server
- Client Application
- Authorization Server
The resource owner can be a user or application which has data that can be share with other application. For example an user on Facebook or Google can be consider as Resource Owner and his profile/account data can be consider as resource.
The Resource Server is the application which stores resource like Facebook and Google can be consider as Resource Server.
The client application is the application which request for accessing resources. Lastly Authorization server is the server for authorizing (credential validation logic) a client application to access resource hosted by Resource Server. Usually Resource servers itself host logic for credential validation but OAuth specification has specified it as a separate component. It’s up to our use case where to implement authorizing logic.
Now we have understanding of OAuth components we will see how OAuth works.
Before a Client application can request a resource access, it needs to register itself with Authorization server. This is one time task in which Authorization Server provides a client ID and client secret. Client will also specify a URI on which Authorization server will redirect when authorization is successful. This credential will recognize client in future communication with authorization server.
Client application needs to provide a link or button asking user to log in using Authorization server like Facebook or Google. Clicking on button will redirect resource owner to Authorization server and owner will get validate by providing credentials. This URI is referred as Authorization Endpoints in OAuth 2.0 specification. An Authorization server will then ask User/resource owner to grant access to client application for accessing resource. Once User accepts it, Authorization server will redirect user to client application URI. This is the same URI client has registered with Authorization server at the time of registration. This URI is reference as Redirect endpoint in OAuth 2.0 specification.
In OAuth 2.0 specification there can be 4 types of Authorization Grant
- Authorization Code
- Resource Owner and password
- Client credentials
In Authorization code when user accepts the authorization grant to client application, it will redirect to client application URI along with an Authorization code in response. Client application will then request Access Token URI on Authorization Server with Client ID, Client Secret and Authorization Code as request parameters and will get access token in response. Client application will then use Access Token with further communication. The Access token can be expired after a period and client application will again need to request an access token. Access token URI is referenced as Token endpoint in OAuth specification.
The Implicit Authorization grant is similar to authorization code except instead of returning an Authorization code, Authorization server will return access token itself which can then be used for further communication.
In Resource owner password Authorization grant user provides its Authorization server credentials to client application. For example a user enters Facebook or Google account credentials on client application. Client application would then use username and password for further communicating with Facebook or Google. This type of Authorization grant will be used in highly trusted client application.
The Client credentials authorization code works when client application need to access resource which are not related to any specific resource owner.
For Further details on request and response structure please refer http://tools.ietf.org/html/rfc6749
If you are on Java side then you can use Apache Oltu or Spring security as OAuth provider for your application. Please visit below for more details.