Skip to main content

Introduction

Introduction

The abbreviation OAuth 2 stands for Open Authorization 2.0, it is is an authorization framework that enables applications to access user data from one service to another without sharing passwords. It grants limited, revocable access tokens, ensuring secure interactions between systems and protecting user credentials.

OAuth 2 is used to enhance security and simplify user authentication for applications and services. It allows apps to access user data without requiring direct access to passwords, reducing the risk of credentials exposure. OAuth 2 also enables controlled access to resources, ensuring better privacy and user control over data sharing. OAuth2

Authentication?

Identify yourself by providing valid credentials using different medium

Authorization?

Identify yourself by providing valid role that you are eligible to enter or do certain activity.

No.ComponentDiscriptionExample
1Resource ownerThe user who owns the data or resourcesThe person
2User agentThe software or device used by the userWeb browser, Mobile app
3ClientThe application requesting accessSocial media app, Email client
4Authorization serverThe server that verifies user identity and issues tokensGoogle OAuth server, Facebook OAuth server, Keycloak server
5Resource serverHolds the protected user resourcesThe Api server,

OAuth client types

OAuth primarily will have two types of clients they are

  • Public clients : -- The Mobile apps and single page web applications would come under this category where the secret keys would be exposed publicly
  • Private clients : -- The applications that can keep secret access keys safe withouht exposing to publc

Access tokens and formats

access token is generally encrypted text using JWT that created by authorization server when autentication success. The access token may or may not have information related to user when decoded.

The JWT tokens are primarily devided into 3 parts header.payload.signiture, and each part would be seperated by a dot (.), below image explains a sample JWT JWT structure

Both the header and payload are simply base64 encoded text which can be decoded easyly to understand the actual text. So it is not recommanded to place any sensitive information in JWT. The signiture play crusial role to make the JWT secure by encrypting the code by choosing a specific algorithms from the supported list of encryptions. more information can be found here https://jwt.io/introduction, and the related RFC documentation also available.

the keys used in JWT header or payload are predefined and called as JWT claims, there can be custom claims based on need. the detailed instrcution of those claimsn can be found here https://www.iana.org/assignments/jwt/jwt.xhtml

3rd July 1.5 hours with srikalyan