The Basics of OAuth 2.0

Learn more about OAuth 2.0 and its components.

OAuth 2.0 is not an authentication protocol; it is an authorization protocol. Its primary purpose is to give access to resources like user data, remote APIs, and so on. The difference between authorization and authentication can often be tricky to understand. The authentication process involves verifying who the user is. Once a user has been authenticated, the authorization process involves deciding which resources a user can access and modify. OAuth 2.0 does its primary job with the help of access tokens.

An access token is a string provided by the resource host to the third-party application. It is used to access user resources on behalf of the user. These tokens usually have associated information such as the token lifespan and the resources this token can be used to access. However, the token issuers can associate the information of their choice with these tokens.

Here's what an access token looks like:

U2FsdGVkX190QKBYAZ0umTTbEgvPe6/ZXVKVmJBFcpyseITT4Stuxh9w4z3vIYQRxNe6Dt8P4ue
Dummy access token

Let's see how we can use this access token in API calls. The non-executable code below is a function that shows how to use an access token while calling a Google API.

Press + to interact
async function callGoogleAPI() {
const endpointUrl = new URL('https://www.googleapis.com/oauth2/v1/userinfo');
headerParameters = {
'Authorization': 'Bearer U2FsdGVkX190QKBYAZ0umTTbEgvPe6/ZXVKVmJBFcpyseITT4Stuxh9w4z3vIYQRxNe6Dt8P4ue',
'Accept': 'application/json'
}
const options = {
method: 'GET',
headers: headerParameters
};
try {
const response = await fetch(endpointUrl, options);
console.log(response);
} catch (error) {
printError(error);
}
}

The token is saved in Authorization in line 5 and sent in the header of the API call.

The information associated with the tokens is also guided by the access token scopes. Access token scopes specify two things:

  • The resources that can be accessed using the access token.

  • The kind of access the token provides to the resources.

The required scopes are specified by the third-party applications while using the Authorization endpoint. The information regarding the requested scopes is then displayed to the resource owner on the consent screen. The access token provides access only to the resources whose scopes have been granted by the resource owner. To get a better idea of how consent screens look, look at Google's consent screen below:

Press + to interact
Google's consent screen
Google's consent screen

Note: OAuth doesn't define any particular values for scopes. The acceptable scope values and the corresponding resources are dependent on the server hosting the resources.

These access tokens only last for a certain amount of time before they expire. Once the token has expired, the client will have to repeat the OAuth workflow to get a new access token. So, some hosting services provide a refresh token along with the access token to tackle this issue.

What is a refresh token?

A refresh token is a string similar to the access token, which can be exchanged for a new access token. The access token issued in response may have a shorter life span and fewer permissions than the original access token.

Note: Not all hosting services provide a refresh token along with the access token.

OAuth entities

In OAuth workflow, multiple entities communicate with one another. The following four roles are at the core of OAuth 2.0’s authorization framework:

  • Resource owner
  • Client
  • Authorization server
  • Resource server

The illustration below shows these entities and the generic interaction between them.

Press + to interact
General workflow
General workflow
  • Resource owner: The owner of the secured resources. The resource owner holds power to permit the use of these resources.

  • Client: The third-party application that needs permission to access the secured resources owned by the resource owner. In the context of OAuth 2.0, the client should have the appropriate access token to gain access to these resources.

  • Authorization server: The server where all client requests for access tokens are directed. This server gets the resource owner’s consent and then issues the access tokens. The authorization server supports two endpoints:

    • Authorization endpoint: Handles the consent of the resource owner.
    • Token endpoint: Used in machine-to-machine communication to get the access token after the resource owner’s authorization.
  • The resource server hosts the secured resources that the client wants to use. Upon receiving access requests from the client, it first verifies the provided access token and then grants access to the requested resources.