OAuth: The Authorization Framework
Learn about the OAuth framework and its role.
Introduction
In this lesson, we'll explore a popular framework that builds on top of the security protocols we mentioned previously and extends them to implement authorization. Such an extension is necessary because the protocols we studied earlier (HTTP authentication, API keys, JWTs) by themselves are not sufficient and have limitations, such as:
Using API keys as a standalone authentication mechanism isn't sufficient because they require a solution for their secure transmission.
Repeated transmission of tokens for authentication increases the probability of interception by an attacker.
These and other issues require that frameworks embed individual protocols to formulate a complete solution that is able to achieve security goals effectively. One benefit of having a standard authorization mechanism is that security experts can vet out complex security issues instead of everyone inventing their own solutions that might have security bugs. One of these frameworks is OAuth 2.0. OAuth 2.0, a shortened name for Open Authorization 2.0, is the preferred way of authorizing access to an API. It's a technological standard that allows applications to access resources hosted by other web apps through an API on behalf of a user.
Let's begin by expanding on OAuth 2.0.
What is OAuth 2.0?
OAuth 2.0 is an industry-standard implementation of token-based authorization that was developed through a collaboration between Google and Twitter in 2010. It’s built on top of OAuth 1.0, which was developed in 2007. Using OAuth, we can allow access to specific information to API clients without exposing the user's credentials. This information can be used to create accounts on third-party applications without the need for sharing sensitive user credentials (like passwords).
However, OAuth does this using
- Authorization is provided for a limited time to specific resources only.
- User account information is shared without the transmission of authentication information such as passwords to any third party.
As a real-life example, assume that we want to create a new Spotify account using our existing Google account. In that case, Spotify allows us to sign up by clicking the "Sign up with Google" button. Spotify and Google facilitate this functionality using the OAuth 2.0 framework.
Access to resources requested in the API calls is provided based on the validity of the access tokens.
Actors/roles
Four entities in OAuth communicate to achieve secure transmission of resources: