OAuth Simplified

OAuth 2.0 is an authorization protocol which applications can use for accessing each other data. A more common scenario which you all have seen is to login into a website using your Facebook or Google account. In this article we will understand OAuth 2.0 protocol which is release in Oct 2012. It is much simpler than its previous version 1.0, as 1.0 involve certificate which is removed from 2.0. OAuth protocol will have following participants

  1. Resource Owner
  2. Resource Server
  3. Client Application
  4. Authorization Server
The resource owner can be a user or application which has data that can be share with other application. For example an user on Facebook or Google can be consider as Resource Owner and his profile/account data can be consider as resource.
The Resource Server is the application which stores resource like Facebook and Google can be consider as Resource Server.
The client application is the application which request for accessing resources. Lastly Authorization server is the server for authorizing (credential validation logic) a client application to access resource hosted by Resource Server. Usually Resource servers itself host logic for credential validation but OAuth specification has specified it as a separate component. It’s up to our use case where to implement authorizing logic.

Now we have understanding of OAuth components we will see how OAuth works.
Before a Client application can request a resource access, it needs to register itself with Authorization server. This is one time task in which Authorization Server provides a client ID and client secret. Client will also specify a URI on which Authorization server will redirect when authorization is successful. This credential will recognize client in future communication with authorization server.
Client application needs to provide a link or button asking user to log in using Authorization server like Facebook or Google. Clicking on button will redirect resource owner to Authorization server and owner will get validate by providing credentials. This URI is referred as Authorization Endpoints in OAuth 2.0 specification. An Authorization server will then ask User/resource owner to grant access to client application for accessing resource. Once User accepts it, Authorization server will redirect user to client application URI. This is the same URI client has registered with Authorization server at the time of registration. This URI is reference as Redirect endpoint in OAuth 2.0 specification.
In OAuth 2.0 specification there can be 4 types of Authorization Grant

  1. Authorization Code
  2. Implicit
  3. Resource Owner and password
  4. Client credentials
In Authorization code when user accepts the authorization grant to client application, it will redirect to client application URI along with an Authorization code in response. Client application will then request Access Token URI on Authorization Server with Client ID, Client Secret and Authorization Code as request parameters and will get access token in response. Client application will then use Access Token with further communication. The Access token can be expired after a period and client application will again need to request an access token. Access token URI is referenced as Token endpoint in OAuth specification.

The Implicit Authorization grant is similar to authorization code except instead of returning an Authorization code, Authorization server will return access token itself which can then be used for further communication.

In Resource owner password Authorization grant user provides its Authorization server credentials to client application. For example a user enters Facebook or Google account credentials on client application. Client application would then use username and password for further communicating with Facebook or Google. This type of Authorization grant will be used in highly trusted client application.

The Client credentials authorization code works when client application need to access resource which are not related to any specific resource owner.

For Further details on request and response structure please refer http://tools.ietf.org/html/rfc6749

If you are on Java side then you can use Apache Oltu or Spring security as OAuth provider for your application. Please visit below for more details.
http://oltu.apache.org/download.html
http://docs.spring.io/spring-security/oauth/

Comments

Post a Comment

Popular posts from this blog

Profiling Java Application using annotation

This blog will provide details of measuring a performance of a code snippet while developing. This is will very handy to developer to quickly measure the performance of a method while unit testing. Benefits: While developing a feature a developer usually missed out performance parameter which is equally and important nonfunctional requirement.  Ideally a developer must make it as a practice to test performance of their code along with unit testing and improved it if it is not fall under acceptance criteria. A quick measurement of performance is to check the elapse time of a method. Most of the time we monitor elapse time using System.currentTimeMillis method.  But for this we need to add unwanted statements in our code. Moreover along with elapse time sometime we also required some further information like mean, minimum, maximum, standard deviation and transactions per second over a set time span. All above task for testing performance can be easily carried out by ...
Read more

Dive into WSDL

Everybody who is working with web service knows about WSDL document. WSDL stands for web service descriptive language and is used for describing a web service in language & implementation independent way. When I say language independent, means it is an xml document. WSDL document provides a detail description about a web service, about operation supported by web service, input and output parameter of an operation. With number of web service framework available, writing a web service is merely placing some annotations on business java class. Framework like CXF and others application server provides utility to generate a WSDL document using Java code and vice versa. With the use of utility we normally didn’t have to deal with different elements of WSDL document. But knowing about WSDL elements detail will help us to debug our application effectively. I have created a sample web service project. You can access complete project from Git repository https://github.com/vcjain/webs...
Read more