CS Notes

Search

Recent Updates

GPU
May 17, 2024
Graph Data Structure
May 17, 2024
Tree
May 17, 2024

See 486 more →

❯

❯

❯

OAuth 2.0

452 words, 3 min read
Last updated on Dec 30, 2023
🌟 Edit This Page! 🗓️ History

security

Abstract

Stands for Open Authorization
Only for Authorisation
Authorization Server gets Consent from Resource Owner to generate Access Token for Client to access Resource Server with refined permission control

Benefits

Refined Permission Control

We don’t need to provide password of the account to Client which grants them full control & high risk associated with sharing password
We can give Client permissions to access only username and account’s contacts, nothing else

Smaller Attack Surface

Access Token can be attached with a TTL to expire automatically without manual intervention & creating negative impact on UX

Resource Owner

Owner of the identity, live user themselves

Consent

The Authorization Server takes the Scope the Client is requesting and verifies it with the Resource Owner, see if he/she wants to grant the permissions
Resource Owner is directed to the consent page by the client app. Client app includes its Client ID, Redirect URI, Response Type and Scope when redirecting the resource owner to the consent page on the authorization server

Microsoft Entra ID

You can read up on the breakdown of each components here
You can manage the apps you consented here

Google Account

You can manage the apps you consented here

Github Account

You can manage the apps you consented here

Client

Third-party application that wants to find out more about the Resource Owner and carry out actions on the behalf of him/her

Scope

The refined permissions Client wants
Specifies permissions to access the types of data & types of actions on Resource Server etc

Client ID

ID used to identify the Client with the Authorization Server

Client Secret

Secret that only the Client & the Authorization Server know
This allows both entities to share information privately
Used by the Client to verify its identity with the Authorization Server

Access Token

Client sends its Client ID, Client Secret and the Authorization Code to the Authorization Server to obtain the Access Token
The key the Client uses to communicate with the Resource Server on the behalf of Resource Owner
Used for Authorisation, NOT Authentication

Authorization Server

The application that hosts the account of the Resource Owner
Single source for identity

Redirect URI

Also known as Callback URI
The URI the Authorization Server will redirect the Resource Owner back to after granting permissions to Client
It is the url on the Client

Response Type

The type of information Client expects to receive
Most common type is Authorization Code

Authorization Code

Short-lived code Authorization Server sends back to the Client

Resource Server

The API that Client wants to use on behalf of the Resource Owner (Identity)
In some cases, both Authorization Server & Resource Server are bundled together

References

An Illustrated Guide to OAuth and OpenID Connect
Udemy Course

Abstract
Benefits
Refined Permission Control
Smaller Attack Surface
Resource Owner
Consent
Client
Scope
Client ID
Client Secret
Access Token
Authorization Server
Redirect URI
Response Type
Authorization Code
Resource Server
References

Backlinks

OIDC Authentication
OAuth 2.0

Graph View

Created by Xinyang YU, © 2023 - 2024

GitHub