OAuth is an open-standard authorization protocol (not to be confused with authentication protocols) that allows unrelated servers and services to safely allow authorized access to their assets without actually sharing the login credentials. Using OAuth 2.0, the application can access the user's data without the disclosure of the user's credentials to the application. The API will grant access only when it receives a certain valid access token from the application. Among different authorization protocols, Oauth2.0 is known for being secure, third-party, user-agent, and delegated authorization.
Working of Oath2.0
During the implementation of OAuth 2.0, there are the
following processes:
- Request authorization from the app to the user.
- The user authorizes the request.
- The app presents the proof of authorization to the server to get the token, and the token is restricted for particular access based on what the user has authorized for a specific app.
There are three public and three confidential flow schemes that ensure that there is a smooth propagation of requests and data among various applications, APIs, and internal services between servers while maintaining a layer of security. The three flow schemes of Oauth2.0 are:
Confidential Scheme: A confidential scheme is appropriate when an application can maintain the client's secret. This commonly occurs when an application obtains OAuth access tokens after running in a browser and accessing its server. Thus, the client's secret is utilized in these schemes.
1. Application
flow: The user is not required to grant authorization at
any point in the application flow scheme. Instead, the program obtains an
access token using its client secret.
2. Password flow: The
user gives the application a username and password that can be used to access
the user's data in the password flow scheme. After that, the client will make a
direct request for an access token from the provider API.
3. Access code flow: In
the access code flow, the application requests authorization from the user
using a form provided by the gateway server, which, if they agree, gives the
application an authorization code. The provider API receives the authorization
code from the application and responds with an access token.
Public
Scheme: A public scheme is used when an application cannot
protect the confidentiality of
Secrets
of the client. The majority of the time, this is the case when a program is
native to a computer or
the
secret would have to be kept on the user's device, maybe inside the smartphone was
the source code for the program. Because of this, these schemes don't leverage
the client's secret.
1. Implicit flow: In the implicit flow scheme, the application requests an access
token from the gateway server, and the user grants permission, at that point, the user
is given an access token, which he or she must then pass to the application.
2. Password flow: The
user gives the application a username and password that can be used to access
the user's data in the password flow scheme. After then, the client will speak
with the server directly to ask for an access token. Because the user's
password is disclosed to the application in this situation, trust between the
user and the application is necessary.
3. Access code flow: In
the access code flow, the application requests authorization from the user
using a form provided by the gateway server, which, if they agree, gives the
application an authorization code. The provider API receives the authorization
code from the application and responds with an access token.
Difference between OAuth 2.0 and OAuth 1.0
OAuth 2.0 is a framework, not an authentication protocol
like OAuth1.0. OAuth 1.0 was primarily developed for traditional web technology,
not for mobile apps. But with the exponential growth of smartphones OAuth, 1.0
was redesigned to form OAuth 2.0 which offered an authentication process
involving tokens. These tokens can be used to ensure secure communication among
applications, APIs, and different services.
Some of the main differences between OAuth 1.0 and OAuth
2.0 are
|
OAuth
1.0 |
OAuth
2.0 |
|
Requires
login credentials |
Do
not require login credentials as it relies on SSL/TLS |
|
HTTPS
communication is not needed |
HTTPS
communication is needed |
|
Used
in only web browsers |
Can
be used in mobile applications, APIs, and internal services between servers |
|
More
complex to design and develop |
Less
complex to design and develop |
|
More
secure because it Requires login credentials for communication |
Less
secure than Oauth1.0 are it uses tokens |
0 Comments