OAuth is an open protocol that allows secure authorization in a simple and standard method from web, mobile and desktop applications.
It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials.
Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
OAuth2 Roles: There are four roles which can be applied on OAuth2.
- Resource Owner: The owner of the resource
- Resource Server: It serves resources that are protected by the OAuth2 token.
- Client: The application accessing the resource server.
- Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
OAuth2 Tokens: Tokens are implementation-specific random strings generated by the authorization server.
- Access Token: It is sent with each request, usually valid for about an hour only.
Authorization Workflow
The OAuth authorization is shown below.
- Client Requests Authorization.
- Resource owner grants permission.
- Client requests token using authorization grant.
- Access token sent to client.
- Client authenticates to resource server using token.
- Resource server validates the access token and serves the request.