OAuth 2.0 Framework


			Why do we need OAuth 2.0 ?

Consider an example I am playing a game, and game app wants to publish my score on my facebook account. To do so game app will require access to my facebook account. 
Another example is a banking app needing my information stored in my google account. Such requirements where a third-party app needs access to a resource on behalf of the owner,
a strong authorization framework is required, for example OAuth 2.0. 
			

			

  The OAuth 2.0 authorization framework enables a third-party
   application(i.e games app,banking app etc.) to obtain limited access to an HTTP service, in above example a service for information stored in my facebook account or google acconut, 
   either on behalf of a resource owner, by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain 
   access on its own behalf.
			

			
			OAuth 2.0 Explained in steps : 
1.  Client example banking web site needs your information stored in your google account.
2.  Client calls the google auth server with following information -

   i) client_id = id set on google auth server, this is to be decided by app owner.
   ii) redirect uri = uri set on google auth server, this is to be decided by app owner.
   iii) response_type = code, this code will be sent by auth server.
   
3.  Google server asks the end user to authenticate i.e form is presented asking the app user to enter google username/password.
4.  Client receives the code.
5.  Client sends the request for token with code and following information -

   i) client_id = id set on google auth server, this is to be decided by app owner.
   ii) client_secret = id set on google auth server, this is generally auto generated by auth server, google auth server in this example.
   iii) redirect uri = uri set on google auth server, this is to be decided by app owner.
   iv) grant_type = authorization_code
   v) code = code received in previous request.
   
6.  Client recieves the token with time-out as set by the auth server
7.  Client sends the access request to resource server with this token.
8.  Resource server checks the validity and expiry of token. If token is valid client's operation on the resource is allowed.
9.  If token is expired client receives an error, in this case client needs to asks the auth serve to refresh the token.
Some alt text
10.  For details of OAuth2.0 framework please visit RFC 6749
11.  Other examples of auth server are facebook and git hub auth.
Scroll To Bottom Arrow