OAuth

Definition

OAuth (Open Authorization) is a protocol that enables individuals to permit third-party applications to access resources on another website without sharing login credentials.

Apps and websites use OAuth to allow users to access services without creating an account for each platform. A good example is logging into various sites with your Facebook, Apple, and Google accounts.

How OAuth Works

1. User grants third-party access: Initiated by a third-party OAuth request for permissions.
2. User permission prompt: Website/app holding resources prompts user permission for third-party access.
3. OAuth access token issuance: The access token is sent to a third-party platform upon user consent.
4. Resource access: The third-party platform can access user-approved resources. Users can revoke access anytime.

Examples of OAuth

• Sign in with Apple: Users access third-party apps using their Apple ID.
• Twitter OAuth: Allows third-party apps to access and post on a user’s Twitter account.
• Sign in with Google: Google allows login to third-party services using Google accounts.
• Dropbox integration: Users connect third-party apps to Dropbox without sharing login credentials.
• Sign in with Facebook: Facebook enables login to third-party apps using Facebook accounts.

Types of Grants on OAuth

• Authorization code grant with PKCE: Adds client authentication step for enhanced security.
• Refresh token grant: The client receives a refresh token from the authorization code grant, used to obtain new access tokens, minimizing user interaction.
• Authorization code grant: The client requests an authorization code, which is exchanged with an access token.
• Implicit grant: This streamlined authorization flow issues access tokens directly to the client without an authorization grant.
• Client credentials grant: The client requests access tokens for its resources without user involvement.
• Resource owner password credentials grant: The user provides credentials directly to trusted clients, like desktop or mobile apps.
• Device authorization grant: This is an authorization flow for devices without full browsers, like printers and smart TVs. It relies on another device for authorization.

OAuth 1.0 vs. OAuth 2.0

Unlike OAuth 1.0, OAuth 2.0 separates roles like the client, authorization server, resource server, and resource owner. It also doesn’t require generating signatures for message security and relies on SSL/TLS and HTTPs for communication.

OAuth 2.0 also has a short lifespan and doesn’t require reauthorization since it uses refresh tokens to acquire new access tokens.

OAuth 2.0 provides particular use sub-flows, which are designed for different types of processes, including mobile and web applications, desktops, living room devices, and API-based services residing in non-browser environments.

SAML vs. OAuth

OAuth is an authorization protocol, while SAML is a federated authentication protocol to enhance enterprise security.

SAML focuses on user-centric access control, while OAuth emphasizes application-centric authentication. The former uses XML for message exchange, while the latter uses JSON.