OAuth: A Tale of Two Servers
574 32 55836
Whether you're trying to implement an OAuth client, or OAuth Provider, or you just want to know why you keep getting redirected to twitter for authorization it pays to understand OAuth 2 and how the flow works. Tune in to this quick example and understand OAuth a bit better today.
By anonymous 2017-09-20
What is oAuth?
OAuth is simply a secure authorization protocol that deals with the authorization of third party application to access the user data without exposing their password. eg. (Login with fb, gPlus, twitter in many websites..) all work under this protocol.
The Protocol becomes easier when you know the involved parties. Basically there are three parties involved: oAuth Provider, oAuth Client and Owner.
- oAuth Client (Application Which wants to access your credential)
- oAuth Provider (eg. facebook, twitter...)
- Owner (the person with facebook,twitter.. account )
How It Works?
I have supposed a scenario where a website(stackoverflow) needs to add login with facebook feature. Thus facebook is oAuth Provider and the stackoverflow is oAuth Client.
This step is done by app's developer. At the very beginning facebook (oAuth Provider) has no idea about the stackoverflow(oAuth Client) because there is no link between them. So the very first step is to register stackoverflow with facebook developers site. This is done manually where developers need to give app's information to facebook like app's name, website, logo, redirect Url(important one). Then stackoverflow is successfully registered, has got client Id, client secret etc from facebook and is up and running with OAUTH.
2.Now when stackoverflow's user clicks login with fb button. Stackoverflow requests facebook with ClientId(fb use it to recognize the client) and redirectUrl(fb will return back to this url after success).Thus the user gets redirected to facebook login page. This is the best part user(owner) is not giving thier facebook credential to stackoverflow.
- After Owner allow Stackoverflow to access the information. Then Facebook redirects back to stackoverflow, along with authcode using the redirectUrl provided at step 2.
- Then Stackoverflow contacts with facebook along with the obtained authcode to make sure everything is okay.
- Only then facebook will give access token to stackoverflow. Then access token is used by stackoverflow to retrive owner's information without using password. This is the whole motive of oAuth, where acutal credentails in never exposed to third party applications.