OAUTH2 Concepts
An enterprise standard frameword used in enterprise application for authentication & authorization.
OAuth stands for Open Authorization
Was initially created only for delegated authorization.
Oauth2.0 was extended to include authentication as well.
Problem
Multiple products may need multiple authentication credentials putting the burden on consumer to remember them.
The more credentials to remember the more easy it is to lost or hacked.
Authentication and Authorization logic gets duplicated, and enhancement also requires more effort.
How to do delegated authentication
What if a third party app wants to access your account details for some operation, sharing credentials with them is a big risk.
Solution
Use a separate Authentication & Authorization server which will take these responsibilities for all products in an enterprise.
Allows segragration of business logic from security logic.
Allows delegated authorization, preventing credential sharing.
Grant Types
Oauth2 supports different grant types as well as allows creating new ones.
Some of the common grant types are,
Access Token
Refresh Token
Device Code
PKCE
Client Credentials
Authorization Code
Password Grant (Legacy)
Implicit flow (Legacy)
Terminologies
Resource Owner
The end user who owns the resources that need to be accessed
Client
An application who needs access of the resource from the resource owner.
Authorization Server
This server holds authorization logic and credentials to give access to client, provided resource owner approves.
The resource owner should have an account in this server.
Resource Server
This is the server which has the resource the client application needs.
It will provide access to resource once the request to access the request has valid access token.
This may be same as or different server that act as authorization server.
Scopes
Granular permission that will be allowed, once user gets access to the resource.
Defines the authorities or roles.
References
Last updated