OAuth Overview
OAuth (Open Authorization) is an authentication protocol that allows users to grant limited access to their resources on one website or application to another website or application, without sharing their actual login credentials.
OAuth acts like a trusted middleman that enables you to give permission for one service to access your data from another service without revealing your username and password. This document includes a technical explanation of the OAuth workflow and a practical OAuth analogy.
OAuth workflow
OAuth provides a secure and standardized way for users to grant access to their data across different websites and applications without sharing their login credentials. It ensures that you have control over which services can access your data and allows you to revoke access at any time.
The following list is a step-by-step explanation of how OAuth works.
You (the user) want to use a website or application (called the "client") that requires access to your data on another website or application (called the "resource server").
The client requests permission to access your data from the resource server. It typically does this by redirecting you to the resource server's login page.
You enter your login credentials on the resource server's login page directly. This step is crucial because your username and password are never shared with the client.
The resource server verifies your credentials and authenticates you. Once authenticated, it generates a unique access token for the client.
The resource server redirects you back to the client application, providing the access token along with the redirection.
The client receives the access token and sends it to the resource server whenever it needs to access your data.
The resource server checks the validity of the access token. If the token is valid, it grants the client access to the requested resources for a limited period.
The client can use the granted access to retrieve or modify your data on the resource server, but only within the scope defined by the access token. The scope determines what actions and data the client can access.
If the access token expires or if the client needs additional permissions, the client can request a new access token by going through the authentication process again.
Practical OAuth analogy
The following is an analogy of how OAuth works using a practical scenario.
Imagine you are throwing a party, and you want to hire a caterer (the client) to handle the food. However, you don't want to give the caterer the keys to your house (your login credentials) because that would give them access to all your personal belongings. So, you use a trusted party organizer (OAuth) to manage the access.
You tell the party organizer that you want to hire a caterer. The party organizer knows how to handle access to your house and the caterer's services.
The party organizer contacts the caterer and sends them to your house for a meeting. You're not home at this point.
The caterer arrives at your house but realizes they can't enter without your permission (access token). They call you to ask for access.
You, as the homeowner, want to verify the caterer's credibility before granting access. So, you ask the caterer some questions to confirm their identity (authentication).
Once you're satisfied with the caterer's credentials, you give them a temporary access code (access token) through the phone. This code allows them to enter your house and prepare the food but only within the scope of their catering duties.
The caterer enters your house using the access code and starts setting up the food. They can access the kitchen and dining area but are restricted from entering other rooms.
After a specified period or when the party ends, the access code expires, ensuring that the caterer can’t re-enter your house without your permission.
In this scenario, you (the homeowner) are the user, the caterer is the client application, your house represents your personal data on the resource server, and the party organizer is OAuth.
The access code serves as the access token, allowing the client (caterer) limited access to your resources (house) without compromising your login credentials (house keys).
OAuth acts as a trusted intermediary, facilitating the secure sharing of your data between services while maintaining control over access permissions.