What is OAuth 2.0 And How It Works?

If you often share your data between two different apps, you must hear the name of OAuth. If you wonder what OAuth 2.0 is and how it works, this blog is for you. OAuth 2.0 basically refers to an authorization system that allows users to share their information and data safely between two different applications.

It is a standard that provides a safe passage between the web, desktop, mobile devices, and applications to deal with API security issues.

Let’s take a closer look at OAuth 2.0’s history and its working system. In this blog, you will also learn about the benefits, some drawbacks, and the best ways to use OAuth 2.0 in your work.

History of OAuth 2.0

Millions of users install a new application daily and share their data with them. For instance, your one app might need to get access to another app in order to work. Without the OAuth standard, you might risk most of your information from the application. Although integration applications bring many benefits, they also are the main reason for significant security breaches. Before OAuth, users had to face many issues.

1. User Credential Exposure: Users had to login to certain applications with their personal credentials. Due to the weak security system, there were high chances of breaches.
2. Scope Of Access: Access to scope means a certain part of info was not available before OAuth. These third-party apps had the ability to access some of your data that you might not want to share. For instance, your location, email, and address.
3. No Way To Revoke Access: The user was also unable to revoke their access from these third-party insecured applications.

Key Terminology in OAuth 2.0

There are few important terms that you must know to understand the OAuth 2.0 and its working system properly.

1. Resource Owner: A user basically owns the data and gives you access.
2. Client: It can be any third-party app or website that requests to access the resources of the user.
3. Resource Server: It’s a server that protects the user’s host and saves it for instance, Facebook or Google.
4. Authorization Server: This server authenticates the identity of the user to grant access tokens.
5. Access Token: It is a token that serves as an authentication pass to access the user resource as per the user’s request.
6. Refresh Token: It is used to get a new authorization pass or, you can say, a new access token when the current access token expires.

How OAuth 2.0 Works?

OAuth 2.0 mainly works on the four roles: Client, Resource Owner, Resource Server, and Authorization Server. Now, let’s take a look at how it actually works.

1. Authorization Request: It starts working when a client means a third-party web request resource owner means the user to grant them access to their data on their Resource server.
2. Authorization Grant: Then, the user reviews the request through the Resource server. A screen appears before the user that a third party is asking to access. Once the user goes through the request, he approves it.
3. Authorization Code or Token Exchange: Once the user grants access, the Client receives an authorization code from the Authorization Server and exchanges this code with the server to get an Access token.
4. Access Token Issuance: The Client gets the Access token as soon as the Authorization server identifies the code. This access token serves as a ticket or a pass to access the user’s resources from its Resource Server.
5. Access Resource: Then, the Client makes a formal API request with the access token to the user’s Resource Server to access their resource on the user’s behalf. The Resource Server thoroughly checks the access token to see its authenticity.
6. Token Expiry and Refresh: Well, Access tokens have a short lifespan due to security reasons. They expire after a short while. After expiration, Client has to make a new request using a refresh token to get the access token again. This time, clients do not have to go through the authorization process. It can get the access code easily.

OAuth 2.0 Grant Types

This latest version of OAuth 2.0 standard supports multiple grant types of authorization to use it in multiple applications for different purposes.

1. Authorization Code Grant: It is one of the most common flows. It is perfect for applications with servers. It Authenticates the users, exchanges authentication codes, and then gives access tokens.
2. Implicit Grant: For most single page websites, this grant is used. In this, the Client gets access token directly without exchanging any code. It is usually considered a little less secure.
3. Resource Owner Password Credentials Grant: This grant is used only for highly reliable clients, such as first-party applications. In this flow, the user’s credentials are sent to Client directly which serves as a step to get access tokens.
4. Client Credentials Grant: It is used where no user is involved and communication happens between machine-to-machine. In this flow, clients directly access the user’s resources with credentials.

Security Features in OAuth 2.0

The amazing part of OAuth 2.0 is that it provides various key features during the whole process.

1. Token Expiry and Refresh: All access tokens come with a short lifespan, meaning they expire after some time. This protects the user’s resources from getting compromised. Clients can always use Refresh tokens to gain new access tokens without authenticating the user again.
2. Scopes: With these features, clients have the ability to request access to only a certain part of a resource, which is called scopes. This limited the access and only gave access to that specific data.
3. Token Revocation: OAuth 2.0 can revoke both refresh and access tokens anytime even after their issuance for better security.

Common Use Cases of OAuth 2.0

1. Single Sign-On (SSO): The main use case of OAuth 2.0 is allowing users to login to other applications and websites using their social accounts like Facebook, X (previously known as Twitter), and Google. The third-part website or application receives a token which is then used to get the details of users from their social media.
2. Third-Party API Access: Most mobile applications require user’s data like their email, name, and birthdate from their Resource server like Google drive. With OAuth 2.0 these applications can easily get access to these data in a secure way.
3. IoT Devices: Smart home and smart devices use OAuth 2.0 mainly to access users’ accounts like Google, Spotify, or YouTube.

Conclusion

Well, OAuth 2.0 is an effective and secured process to access user information across different platforms without sharing their passwords. OAuth 2.0 uses access tokens to securely create a connection between the applications and APIs. This secured method reduces the risks of breaches and compromises of data.