Before introducing oauth2 lets discuss in brief about authentication and authorization.
Authentication is the process of verifying the identity of a user by obtaining credentials for example his username and password, and using those credentials to verify the user’s identity.
Authorization is the process of allowing an authenticated user to access his resources by checking whether the user has the access to the system. You can control access by granting or denying specific permissions to an authenticated user. So If the authentication was successful, the authorization process starts. Authentication always proceeds to Authorization process.
What is OAuth?
OAuth (Open Authorization) is an open standard for token-based authentication and authorization on the Internet. OAuth, allows an end user’s account information to be used by third-party services, such as Facebook, without exposing the user’s password.
OAuth is based on an access token concept. When you authenticate yourself using lets say your Google account, to a third party web application. Google authorization server issues an access token to that web application with the approval of the owner. Thus the web application can use that access token to access your data hosted in the resource server.
Roles
OAuth2 defines 4 roles :
Resource Owner(User): the owner of the resources that needs to be authorized in order to gain access from the resource server.
Resource Server: server hosting protected data/resources.
Client Application : application requesting access to a resource server.
Authorization Server: server issuing access token to the client. This token will be used for the client application to request the resource server.
Access Token
Access tokens are used by the application to make API requests on behalf of a user. The access token represents the authorization of a specific application to access specific parts of a user’s data.
The below diagram depicts the basic sequence flow for an Oauth2 authorization process:
The first step is access token generation by an authorization server.
1. The client application requests an access token because we do not want any malicious user to access out data from resource server without authentication.
2. Then, the authorization server asks the user/resource owner whether to grant the requested permissions to the client application.
3. If the user allows the authorization server to issue an access token to the client application ,
4. the authorization server generates an access token
5. and issues the access token to the client application. This part represents an access token request and a response to the request.
6. The client application requests the user’s data with the access token.
7. The resource server extracts the access token from the request,
8. confirms that the access token has permissions to access the user’s data
9. and returns the user’s data to the client application.
