OAuth

OAuth

Introduction

IETF develops and writes the OAuth specifications

Before OAuth, Basic Authentication was used.

First released in 2007

Main feature of OAuth is redirects.

Security

Authentication is the process of confirming a user’s identity
Provides access control

OAuth vs OpenID Connect

OAuth

Apps to access API.
OAuth issues Access Tokens.
Access API

OpenID Connect

is an extension on OAuth.
OpenID issues Id Tokens (Statement about the user)
Identifying the user.
Id Tokens are JWT

OAuth Roles

1. User (Resource Owner)
2. Device (User Agent)
3. Application (Client)
4. API (Resource Server)
5. Authorization Server
   This is where the user will enter their passwords

Types of Applications

Confidential Client
Apps running on a server
Client Secret

Credentialed Client

Public Client
Client apps (Website)

User Consent

Password Grant (Normal email and password)
Users only type in the password in the Authorization server.

Front Channel and Back Channel

Back Channel

The normal or secure way
Client to server HTTPS connection
AJAX or Jetch

Front Channel

GET Parameters in the address bar

Implicit Flow (no back channel)

Application Identity

OAuth Client
ClientId

Authentication Flow

Application builds a URL to redirect the user’s browser to the authorization server
Request will have:
ClientId
RedirectURL
Server will send back
Authentication Code

PKCE

Proof key for Code Exchange

References

Website

https://oauth.net/

Courses

https://www.udemy.com/course/oauth-2-simplified/
https://www.linkedin.com/learning/connecting-linkedin-learning-with-your-organization-s-systems-q1-2021
https://www.linkedin.com/learning/web-security-user-authentication-and-access-control/best-practices-for-user-authentication-and-access-control

Videos

• OAuth 2.0 and OpenID Connect in plain English

• An Illustrated Guide to OAuth and OpenID Connect

• Simplified Oauth 2 0 – NodeJS Tutorial

YouTube Channels

• OktaDev