TechnicalPig🐷: OAuth

OAuth is an authorisation framework that enables applications to obtain limited access to user accounts. It is designed to work with HTTP and provide authorised access to the user’s data without revealing their credentials to the application.

Outlining the steps:

1. Requesting Authorisation: This is the initial step in the OAuth process. An application requests authorisation from the user (the resource owner) to access their data or perform operations on their behalf at a service (the resource server).

   • The OAuth framework specifies how this request should be made, often through a redirection to a service-provided authorisation page.

2. User Authorisation: This step is where the user explicitly grants permission to the application to access their resources or perform actions on their behalf.

   • OAuth defines the user consent mechanism, ensuring that the user is informed about what permissions the application is requesting and has the ability to approve or deny these requests.

3. Application Receives an Authorisation Grant: After the user grants permission, the application receives an authorisation grant.

   • In OAuth, an authorisation grant is a credential representing the user's authorisation, but not yet the access token itself. It could be an authorisation code, an implicit grant, a resource owner credentials grant, or a client credentials grant, depending on the OAuth flow being used.

4. Application Requests Access Token: With the authorisation grant, the application requests an access token from the authorisation server.

   • This step is secured by OAuth, requiring the application to authenticate itself and to present the authorisation grant. The OAuth framework specifies how the application should authenticate and how the request should be made.

5. Application Receives Access Token: The authorisation server authenticates the application and validates the authorisation grant. If everything checks out, it issues an access token (and optionally a refresh token) to the application.

   • OAuth defines the structure of these tokens and how they should be issued.

6. Application Accesses the Resource: Finally, the application uses the access token to make authenticated requests to the resource server on behalf of the user.

   • The OAuth framework specifies how the access token should be included in requests to the resource server, ensuring secure access to the user's resources.

An analogy

OAuth: The Security Guard

Imagine you're trying to enter a private club (a service or application) that requires a membership card (credentials). However, instead of showing your card every time, you talk to the club's security guard (OAuth). You tell the guard who you want to see or what you want to do inside the club. The guard then checks with the club (the user), asking if they're okay with you doing what you've asked. If the club agrees, the guard gives you a special pass (access token) that lets you do only what you've been allowed to do. This way, you never have to show your own membership card directly, keeping it safe while still getting access to the club's services on behalf of the club member.

Summary

In summary, OAuth is the framework that orchestrates this entire sequence, providing a standardized, secure way for applications to request and gain authorized access to user resources without needing the user's credentials. It's designed to work over HTTP, making it suitable for web applications, mobile applications, and API services.