- What is OAuth?
- an authorization protocol that allows unrelated servers and services to allow access to eachother without actually sharing the authorization credentials
- third-party, delegated authorization
- OAuth 2.0 is a framework - 1.0 is a protocol
- only works with HTTPS
- Give an example of what using OAuth would look like.
- A website letting you use your google account to sign up and login
- you are authenticated via the google account
- A website letting you use your google account to sign up and login
- How does OAuth work? What are the steps that it takes to authenticate the user?
- OAuth scenarios always involve two unrelated sites trying to coordinate
- OAuth = authorization
- Steps: from https://www.csoonline.com/article/3216404/what-is-oauth-how-the-open-authorization-framework-works.html
- The first website connects to the second website on behalf of the user, using OAuth, providing the user’s verified identity.
- The second site generates a one-time token and a one-time secret unique to the transaction and parties involved.
- The first site gives this token and secret to the initiating user’s client software.
- The client’s software presents the request token and secret to their authorization provider (which may or may not be the second site).
- If not already authenticated to the authorization provider, the client may be asked to authenticate. After authentication, the client is asked to approve the authorization transaction to the second website.
- The user approves (or their software silently approves) a particular transaction type at the first website.
- The user is given an approved access token (notice it’s no longer a request token).
- The user gives the approved access token to the first website.
- The first website gives the access token to the second website as proof of authentication on behalf of the user.
- The second website lets the first website access their site on behalf of the user.
- The user sees a successfully completed transaction occurring.
- OAuth is not the first authentication/authorization system to work this way on behalf of the end-user. In fact, many authentication systems, notably Kerberos, work similarly. What is special about OAuth is its ability to work across the web and its wide adoption. It succeeded with adoption rates where previous attempts failed (for various reasons).
- What is OpenID?
- an authentication layer that works with OAuth
Authorization and Authentication flows
- What is the difference between authorization and authentication?
- authorization is verifying who you are, authentication is verifying what you have access to
- What is Authorization Code Flow?
- used to provide an access token to authorize API requests
- used for web-apps/server-side apps
- exchanges an authorization code for an access token
- app has to be server-side
- What is Authorization Code Flow with Proof Key for Code Exchange (PKCE)?
- an additional layer of security for mobile and native applications and single-page apps
- What is Implicit Flow with Form Post?
- Used for public clients / apps unable to securely store client secrets
- Form post allows for streamlined workflow for apps that only need an Id token for user authentication
- What is Client Credentials Flow?
- used for M2M authentication
- eg CLIs, daemons, services that run in the back-end
- What is Device Authorization Flow?
- sends the user a link to their device to authorize the device
- useful for devices that dont have easy tex entry
- What is Resource Owner Password Flow?
- user provides their username and password via an interactive form
- only used for highliy-trusted apps