What is OAuth 2.0 ?
If you are a frequent app user using new apps you most likely have used OAuth 2. OAuth provides an application a form of Authentication and Authorization. Authentication confirms you are who you say you are, while authorization is to give a third part app access to your primary application. Taking an example;
Suppose that you have the new app (eg. TaskMaster) that you can use as a task list but it would like to leverage and copy your google task list. Task master first needs to know who you are and then talk to google to gain access to your google task list. This used to be very cumbersome process but can now easily be accomplished using OAuth.
The most commonly used OAuth providers who have a large adoption are Google, Facebook, Twitter and Amazon. They have a higher adoption simply because of the number of people using their service. However if an app would like to integrate with your SalesForce data then you would be using its OAuth.
API Flow Diagram
There are three Entities in an O-Auth Flow-
- User – You
- Client Application – New app which you would like to connect with the below mentioned services or a new service which just wants authorization from the authorization service.
- Authorization Server -Google, Facebook, Twitter, Salesforce, Your Bank.
- Resource Server – A part of the authorizing service. Example would be a part of google that you would like the client application to have access to.
- The user requests a service from the client.
- The client gives options to the user to choose from various Authorization Services that the user may already be a part of.It could be any service Google, Facebook, Twitter, etc.
- The client redirects the user to Google SSL page where the user enters his login and password.
- Google then authorizes the user and displays to the user the app that is requesting access and what applications of google it would be exposing the the client.
- User then approves the authorizing service to grant access or restricts the type of access.
- Google / The authorizing app validates the user (Authentication) & the level of access (Authorization)
- This Authentication & Authorization is sent back to the user which the client sends back to the Authorization Server.
- The authorizing app then furnishes a Token to the client app.
- The client app then uses the token to retrieve information from the Resource server. Think about the resource server as google tasks app or to post on your facebook wall. You have given the client app access to a selected part of the resource server.
- The client app would then confirm to the user that the authentication is successful and it can now import your google tasks into the new client app.
The client App normally needs to get App creds from Google or the Authorizing service. This is for the Auth Service to know the app that is requesting for the users credentials. It is important to remember to get the Token we need two pieces of creds user creds &. App Creds. Tokens have a TTL but the app can always ask for a new token as long as the user has not revoked permission for the app.
Where and how does OAuth Really help from a user perspective
- Signing up for a new account or new apps are easy. You do not a user to enter 10 fields to create an account. Eg – first name, last name, user name, enter password twice.. etc
- User does not need to remember many passwords for every single app. We all know that you have only one password that you use everywhere 😛 .. ok maybe two
- You can seamlessly integrate with your primary apps restricting access to the level you would like to give access to the partner or new app.
- You can at any time revoke access for the app.
- The authentication service could potentially revoke access to all apps if there is a data breach on a particular app. This is good for the user.
Where and how does OAuth Really help from an Application perspective
- Faster customer on-boarding
- You do not need to worry about the security when storing the username and password because you do not necessarily store the username and password.
- You can connect with multiple apps. Think about all the apps which link facebook, twitter, instagram, pinterest into one app.
Do you use Oauth ? What are the challenges you have faced while using Oauth ?
OAuth 2 – The Fundamentals