OAuth 2.0 explained
1. What’s the purpose of OAuth 2.0?
OAuth 2.0 is a protocol for granting clients limited access to a protected web service or API. This is done by an authorisation server which issues the clients with access tokens, typically of type bearer.
2. Why has OAuth 2.0 become so successful?
OAuth 2.0 became popular long before the spec was finalised. It inspired people to spawn a number of complementing extensions, such as OpenID Connect.
The protocol was born in the social apps space where integration simplicity is key to increasing a web API’s adoption rate:
Complexity is shifted to the server, easing client-side programming.
Simplified client - server flows.
Bearer instead of signed tokens.
- Can be used for third-party login.
3. How do clients obtain an access token?
The access token is issued in exchange for a valid "grant" - a somewhat abstract term which can be of the following types:
password credentials grant where the client passes the user’s name and password to the server;
client credentials grant where the client passes its own identifier and password;
- JWT or SAML assertion (signed proof of something).
4. The access token
The access token is an opaque string which has an associated scope and lifetime, and may optionally allow refreshing.
The access token is of type bearer: whoever holds the token is allowed to make a HTTP request to the protected web API. The caveat is that access tokens must be kept secret at all times and only used over HTTPS.
The access token is typically passed with the Authorization header of the HTTP request:
Authorization: Bearer mF_9.B5f-4.1JqM
5. Implementation flexibility
OAuth 2.0 offers implementers ample flexibility:
The authorisation server is free to decide how users get authenticated.
The authorisation server is also free to decide how the permission is obtained.
- The access token is an opaque string and the server is free to decide what gets encoded into it.
The essence of the OAuth 2.0 is in these two core specs:
- The OAuth 2.0 Authorization Framework (RFC 6749)
- The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
The security implications of OAuth are described in this document:
Most of the OAuth 2.0 extensions are stable now, but still technically work in progress:
- JSON Web Token
- OAuth 2.0 Dynamic Client Registration Core Protocol
- OAuth 2.0 Dynamic Client Registration Management Protocol
- OAuth 2.0 Dynamic Client Registration Metadata
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
- SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants