The Simplest Guide To OAuth 2.0

1. There are data of a user.

2. There is a server which manages the user's data. The server is called "Resource Server".

3. There is a "Client Application" which wants to use the user's data.

4. Let's prepare a gate to pass the user's data through. The gate is called "API".

5. The client application requests the user's data.

6. The resource server returns the user's data.

7. What if there is a malicious client application?

8. Even if the client application that requests the user's data is a malicious one, ...

9. ... the resource server returns the user's data.

10. Even a malicious application can get the user's data.

11. We need a mechanism to protect the user's data.

12. In the best practice, an "Access Token" is given to the client application in advance. An access token represents that the said client application has been given permissions to access the user's data.

13. The client application presents the access token when it requests the user's data.

14. The resource server extracts the access token that is included in the request, ...

15. ... and confirms that the access token denotes that the client application has permissions to access the user's data.

16. After the confirmation, the resource server returns the user's data.

17. To make this mechanism work, an access token must be given to the client application in advance.

18. Consequently, we need someone who issues access tokens.

19. Someone who issues access tokens ...

20. ... is called "Authorization Server".

21. The relationship between a client application and an authorization server is as follows.

22. An authorization server generates an access token ...

23. ... and issues the access token to a client application.

24. Let's review what we've learned so far. Characters are an "Authorization Server", a "Client Application" and a "Resource Server".

25. The authorization server generates an access token ...

26. ... and issues the access token to the client application.

27. The client application requests the user's data with the access token.

28. The resource server extracts the access token from the request, ...

29. ... confirms that the access token has permissions to access the user's data ...

30. ... and returns the user's data to the client application.

31. In the flow above, the first step is access token generation by an authorization server. However, in a real flow, the user is asked before an access token is issued.

32. First, the client application requests an access token.

33. Then, the authorization server asks the user whether to grant the requested permissions to the client application.

34. If the user allows the authorization server to issue an access token to the client application, ...

35. ... the authorization server generates an access token ...

36. ... and issues the access token to the client application.

37. By the way, pay attention to the part encircled by the yellow ellipse.

38. The part represents an access token request and a response to the request.

39. And, it is "OAuth 2.0" that has standardized the part. Details of OAuth 2.0 are described in the technical document, RFC 6749 (The OAuth 2.0 Authorization Framework).

Next To Read

--

--

--

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

TDD: An Engineer’s Light in the Blackest Night

Flutter — Know Updated Material Buttons — OutlinedButton

DevOps Enterprise Summit Las Vegas 2019 Programming Highlights: What I’m Looking Forward To

Integration All Concepts using Python

Setting up Empirical Core by Quill in Ubuntu 16.04 from scratch

Don’t let your dynamic DAGs disturb Airflow

CRODO. Roadmap. The Ambassador

Install packages in ubi8-minimal based container

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Takahiko Kawasaki

Takahiko Kawasaki

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/

More from Medium

Loopback Interface Redirection

How to acquire and use an access token from Azure AD in a React & Spring app: a simple developer’s…

OAuth and OIDC Part 1

Microservices API Gateway vs. Traditional API Gateway