What is OAuth? (An Introduction to OAuth and OpenID)

My name is Kindson and in this brief, lesson I would teach you the basics of OAuth 2.0 and OpenID. You will understand what they are and how they work very clearly.

You can watch the video explanation here

We would cover the following:

  1. What is OAuth?
  2. How OAuth Started
  3. OAuth Roles
  4. The OAuth Workflow
  5. Benefits of OAuth
  6. What is OpenID?


1.0 What is OAuth

OAuth is an open standard for authorization which is used for access delegation. This means that users of a web application can grant an application access to their information without having to give them the login credentials.
OAuth provides a secure delegated access to the user’s information on behalf of the user.

 

2.0 Why OAuth was Introduced

Before OAuth 1.0 protocol was published in 2010 access delegation was achieve by providing the third party application with your the login credentials(username and password). This creates a security challenge as there is no control of what the third party application can do with these details. OAuth was created to address this issue.
So in 2010, the OAuth 1.0  protocol was published after a group of researcher have worked on it for about 4 years.


3.0 OAuth Roles and Terminology

Before we explain how it works, it is necessary to understand the roles associated with the OAuth architecture
Resource Owner: This is the user of the resource or the owner of the account the application is requesting to access.
Client: This is the application the requests access to restricted resources.
Authorization Server: Holds account information and used for authorisation.
Resource Server: Contains secure information that need token to access
Authorization Grant: The initial code sent to the requesting application initially. The is the same as the authorization code and is passed through the front channel(browser)
Redirect URI: This is the URI that the would be redirected to after the authorisation grant have been given to the application.
Access Token: The token that is sent to the application and can be used to access resources.

 

 

4.0 The OAuth Workflow

The OAuth workflow take the following steps to grant a delegated access to an application:

 

Step 1: The application request for authorization for access to some resource
Step 2: The authorization server creates and displays a consent screen to the user
Step 3: If the user consents to the request, then the authorization server sends an authorisation code (authorisation grant) back to the requesting application.
Step 4: The application then requests for an access token from the authorisation server using the authorisation code
Step 5: The authorisation server identifies the application and checks if the authentication code is valid. If it’s valid, the server issues an access token to the application.
Step 6: The application can now access resources from using the access token
Step 7: If the access token is found valid, the resource server grants the resource to the application.
At this point the cycle is complete. The workflow is shown in Figure 1.

 

 

5.0 Benefits of OAuth 2.0

It provides a stronger security and easier to implement
It is an open standard
It is a very robust protocol that relies on SSL (Secure Socket Layer) making data very secure
Allows for expiration of authentication token which make resources more secure
Login credentials are not passed to the requesting application

 

6.0 What is OpenID

What then is OpenID?
Note that OAuth is a standard for authorisation. OpenID on the other hand is used for authentication to authenticate a single-sign on identity. It is created to be used for federated authentication. This means that a third party can be used to authenticate a user if the users already have some account.
While OAuth can be used for authentication too, that is not what it’s designed for. OpenID does that.
There comes OpenID Connect(OIDC) which is an authentication protocol based on the OAuth 2.0 and serves an authentication layer on top of OAuth 2.0.

I hope these brief explanation clarifies the concept.
You can watch the video explanation here