I. How OAuth works
OAuth is one of those technologies that is mostly misunderstood when it comes to use. In this article, let’s clear up the bottlenecks to really understand how the technology behind OAuth works.
First of all, from the name you can guess OAuth has something to do with Auth . But auth means authentication or authorization and OAuth means only think authorized , not authenticated. More importantly, OAuth was originally not created for a service to authorize a person . It allows a service that allows a service can authorize to another service.
Why does a service need to be authorized?
II. When two services are developed
Let’s take a good example of photo printing service. You must have seen sites like this. You give them an image file and you pay them to send the printed photo to your address. Imagine you are starting a new photo printing business. You build a website that allows people to upload photos and order them to print online. Now, here’s the thing. No one keeps photos on their device anymore. They use the cloud! And so you continue to receive feature requests to give users the ability to import their photos from somewhere like Google Drive and then print photos directly from there without the user needing to download them. download and re-upload .
Okay, that’s a legitimate request. Now what do you have to do to implement Sign-in from Google Drive for your app? You need to connect a user’s Google Drive account and access their files. But wait! How can your application do that? User files on Google Drive require the user’s Google authentication. How can you code your website so that it can authenticate with Google on behalf of your users?
Here’s what you can do. You can ask users for their Google ID and password . Your application can say:
“Hey user, do you want me to print your photos on Google? Google is not giving me access. So here is the screen where you enter your Google ID and password. Give them to me, and I will log into your Google account and access your photos and print them ”.
Do you think users will give your photo print service their Google ID and password? They don’t believe you! What they want to give you is just access to certain photos . They don’t want to give you full access to their Google drive and their email and everything else. Your service may promise that it will only access their photos, but there is no guarantee!
So while this works in theory, this isn’t practical.
Now you can tell – Google Drive has sharing! You can ask users to share the file and then provide a shared link to your service. But there are problems there as well. What if the user doesn’t want to share the file with anyone. Also, what if it’s another situation where sharing is not an option?
For example, think of a situation in which your service wanted to access the user’s contacts to send out app invitations? There is no way you can ask users to share their contacts. Such a feature doesn’t even exist! So how do you have an authorized third-party service with a service like Google without your users providing their credentials?
To get around this problem of services trying to access each other on behalf of users, a standard protocol was created called OAuth . The first version, called OAuth 1 , was not so popular. But the current version, OAuth 2 , is widely accepted and used. When anyone mentions OAuth today, they almost always refer to OAuth 2 .
There is an example as follows:
Think about the job of a parking attendant or a waiter. The idea is that a car owner drives to a garage, and instead scrambles for a parking space. They just got down, gave their keys to the valet and said, “Hey, caretaker, please park me.” The waiter takes the keys, drives the car, finds a location and parks the car.
Now I won’t do anything in the way of handing my old car over to any valet. But imagine if a rich guy comes up with a million-dollar sports car. They will have a reason to hesitate a little when delivering the keys. What if the caregiver deliberately took the keys and took the car for a long distance, opened the trunk or opened the lock of personal belongings.
This is why some cars come with an extra key called a car park key. This key is like the main key of a car but has reduced usability. It can only start and stop the car. But it cannot open the trunk or personal belongings. If a sports car owner has such a key, they will feel more comfortable handing it over to the car parker. They know the parking person cannot do much with the key beyond their purpose.
IV. OAuth stream
OAuth is an authorization mechanism where services can authorize each other on your behalf after you have granted them authority . It is often referred to as authorized access for this reason. It is also an open standard – because it clearly needs to be – because many services on the internet need to communicate with each other. So there’s a specification that all of these services need to follow in order for them to understand each other. There’s a certain process in place for this whole process to work.
OAuth is an authorization mechanism where services can authorize each other on your behalf after you have granted them authority. It is often referred to as authorized access for this reason.
Return to our photo printing example. Here is the situation:
- You have a service that needs to access the user’s Google Drive files
- We have one user logged into both this service and into Google. Both services trust the user . They just don’t trust each other .
- The problem we want to solve is for these two services to work together. If both of these services are implemented with OAuth , this is how the interaction works
- The photo printing service goes to Google and says, “Hey, I need this user’s file”.
- With OAuth implementations, Google will do something interesting. It passes to the user and says:
“Take a look here, user. Yes this service here wants to access some of your files. Is this legal? Here is a list of the things the service wants to do. Will I go ahead and allow it? “
- Now the user sees a clearly specified screen (Service A is requesting access to the user’s Google account and B) What is the list of permissions that the service wants.
- Now if the user is the one trying to print the photo, they’ll look at it and say:
“Alright, all right. Please allow access ”.
- Now, Google has reasons to trust the service, so it grants it a token (called an authorization token) containing all the permissions allowed. A ” token “, if you want!
- And now every time the photo printing service needs to access Google Drive, it just needs to include this token with the request and say:
“Hey Google, I need access to that file. This is the token that you have provided me with user verified access to these permissions. Let me in!”
- And every time this happens, Google looks at the token and says:
“Hmm, okay, it’s legal. You can access this ”. With tokens, the photo service only has limited access to permissions previously approved by the user. You may have seen these screens from Facebook or Google requesting permissions.
The screen informs you which services are trying to access which rights on your behalf. If you accept, the access token will be passed to the future accessible service so that you do not have to click allow each time.
V. Access token
What does this access token look like? It should be a token that contains information about all allowed permissions, and should also be tamperproof – something the service can verify. How do you create a token that can hold data inside it but also secure it from being modified? There’s a specific token format called JWT that works flawlessly. Check out this article to see how JWT works ! Now that you know how this process works, it’s also clear why OAuth is used for authorization, not authentication. In this case, the user is actually authenticated with both services. The problem being solved here is how to authorize one service to another. Now that you know the OAuth process , the next time you see these OAuth consent screens, you’ll know what’s going on and why! Next time I will go analyze the structure of a token like. Please folow me to welcome reading interesting articles offline!