Dec 16, 2023
Photo by Jigar Panchal on Unsplash
When we talk about OAuth, are we talking about Authentication or Authorization? Well, OAuth stands for Open Authorization and is an open standard that allows the websites or applications to talk to each other on your behalf.The term "Open" refers to the fact that the protocol is an open standard, meaning it is not proprietary and is openly available for anyone to implement. It is a set of specifications and guidelines that have been developed through collaboration within the tech community.
You might be wondering why would you want applications to talk to each other on your behalf anyways? Let's understand this via a use case:
Let's say you want to create a social media management application called Socialite. This app can post to multiple social media account once without you having to log in to different social media accounts and posting the same post again and again. Sort of an automation.
You might have already witnessed this feature on Instagram, where before posting the post, you are nudged as to whether you want this post to be posted on Facebook as well. But that is only limited to Facebook and Instagram. Our goal is to integrate multiple social media accounts such as Twitter, Facebook, Instagram, TikTok, etc.
We can create this feature easily using OAuth. We can divide the whole process into four segments:
Web Sequence diagram for Oauth2.0 flow
If the user grants the permission, Twitter's Authorization Server issues an OAuth access token to our Socialite application. This access token has limitation though, we can only post, we can't follow/unfollow, block, or even change the user credentials.
There are several types of authorization grants in OAuth, each serving a specific purpose. Here are some common examples.
1Authorization Code: abcdef123456
In the Implicit Grant flow, the access token is directly issued to the client without the intermediary step of obtaining an authorization code. This flow is often used in browser-based applications.
1Access Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
In this grant type, the user's username and password are directly exchanged for an access token. This flow is typically used when the client is highly trusted with the user's credentials.
The Client Credentials Grant involves the client using its own credentials (client ID and client secret) to obtain an access token directly.
1Client ID: abc123
2Client Secret: xyz456
While not an authorization grant itself, the refresh token is worth mentioning. In certain flows, an access token is accompanied by a refresh token. The refresh token can be used to obtain a new access token without requiring the user to re-authenticate.
1Refresh Token: sf3g98fcye7654oqw321qgqw0few25flawt3
It's important to note that the actual format and structure of these tokens or credentials can vary based on the implementation and the specific requirements of the authorization server.
If you would like to understand how Authentication / Authorization work on a basic level, you can refer to this article that I posted a few months back:
I recently wanted to build a project where I was required to have a feature to authenticate users.
OAuth involves several components that work together to enable secure authorization for third-party application (Socialite) to access protected resources (posting tweets or following users) on behalf of a user. The primary components are:
In conclusion, OAuth (specifically OAuth 2.0) is an open standard protocol that provides a secure and standardized way for third-party applications to access protected resources on behalf of a user, without exposing the user's credentials. It is widely used in various contexts, such as social media integration, calendar applications, and other scenarios where secure access to user data is needed.
Subscribe to the newsletter to learn more about the decentralized web, AI and technology.