Abstract
- Stands for Open Authorization
- Only for Authorisation
- Authorization Server gets Consent from Resource Owner to generate Access Token for Client to access Resource Server with refined permission control
Benefits
Refined Permission Control
- We don’t need to provide password of the account to Client which grants them full control & high risk associated with sharing password
- We can give Client permissions to access only username and account’s contacts, nothing else
Smaller Attack Surface
- Access Token can be attached with a TTL to expire automatically without manual intervention & creating negative impact on UX
Resource Owner
Owner of the identity, live user themselves
Consent
- The Authorization Server takes the Scope the Client is requesting and verifies it with the Resource Owner, see if he/she wants to grant the permissions
- Resource Owner is directed to the consent page by the client app. Client app includes its Client ID, Redirect URI, Response Type and Scope when redirecting the resource owner to the consent page on the authorization server
Microsoft Entra ID
Google Account
- You can manage the apps you consented here
Github Account
- You can manage the apps you consented here
Client
Third-party application that wants to find out more about the Resource Owner and carry out actions on the behalf of him/her
Scope
- The refined permissions Client wants
- Specifies permissions to access the types of data & types of actions on Resource Server etc
Client ID
- ID used to identify the Client with the Authorization Server
Client Secret
- Secret that only the Client & the Authorization Server know
- This allows both entities to share information privately
- Used by the Client to verify its identity with the Authorization Server
Access Token
- Client sends its Client ID, Client Secret and the Authorization Code to the Authorization Server to obtain the Access Token
- The key the Client uses to communicate with the Resource Server on the behalf of Resource Owner
- Used for Authorisation, NOT Authentication
Authorization Server
- The application that hosts the account of the Resource Owner
- Single source for identity
Redirect URI
- Also known as Callback URI
- The URI the Authorization Server will redirect the Resource Owner back to after granting permissions to Client
- It is the url on the Client
Response Type
- The type of information Client expects to receive
- Most common type is Authorization Code
Authorization Code
- Short-lived code Authorization Server sends back to the Client
Resource Server
- The API that Client wants to use on behalf of the Resource Owner (Identity)
- In some cases, both Authorization Server & Resource Server are bundled together