DEV Community

Cover image for OAuth2: An In-Depth Overview and How It Works
Igor Venturelli
Igor Venturelli

Posted on • Originally published at igventurelli.io

OAuth2: An In-Depth Overview and How It Works

In today's interconnected digital world, ensuring secure access to resources across different platforms and services is crucial. OAuth2 (Open Authorization 2.0) has emerged as a leading standard for secure, third-party access to user resources without sharing credentials. This blog post provides an in-depth overview of OAuth2, its architecture, the different grant types, and practical examples using Java and Spring Boot.

What is OAuth2?

OAuth2 is an authorization framework that allows third-party applications to obtain limited access to a user’s resources without exposing their credentials. It decouples authentication from authorization, enabling a secure way to grant access to resources on behalf of the user.

Why OAuth2 is Needed Today

Before OAuth2, the common practice for granting access to user resources involved sharing user credentials (username and password) directly with third-party applications. This approach posed significant security risks:

  • Security Risks: Sharing credentials increases the risk of data breaches and unauthorized access.
  • Limited Control: Users had limited control over what third-party applications could access.
  • Scalability Issues: Managing credentials and access control became increasingly complex as the number of applications grew.

OAuth2 addresses these issues by providing a secure and standardized way to grant access without sharing credentials, thereby enhancing security and user control.

Main Grant Types in OAuth2

OAuth2 defines several grant types to accommodate different use cases:

  1. Authorization Code Grant: Used for server-side applications. The user grants access to a client by providing an authorization code, which the client then exchanges for an access token.
  2. Client Credentials Grant: Used for system-to-system communication. The client directly requests an access token using its own credentials, without user involvement.
  3. Implicit Grant: Used for client-side applications. The access token is issued directly to the client without the intermediate step of exchanging an authorization code.
  4. Resource Owner Password Credentials Grant: Used when the user trusts the client. The client requests an access token by directly using the user’s credentials.

Key Players in the OAuth2 Framework

  • User: The owner of the resources who grants access to a third-party application.
  • Client: The application requesting access to the user’s resources.
  • Authorization Server: The server that authenticates the user and issues access tokens.
  • Resource Server: The server hosting the user’s resources.
  • Identity Provider (IdP): An entity that verifies user identities, often integrated with the authorization server.

OAuth2 Flows (The OAuth2 Dance)

The OAuth2 process varies depending on the grant type. Here's a brief overview of the two most common flows:

Authorization Code Flow

  1. User Authorization: The client redirects the user to the authorization server.
  2. Authorization Grant: The user grants access and receives an authorization code.
  3. Access Token Request: The client exchanges the authorization code for an access token.
  4. Access Resource: The client uses the access token to access the user's resources.

Client Credentials Flow

  1. Token Request: The client requests an access token from the authorization server using its own credentials.
  2. Access Token: The authorization server issues an access token.
  3. Access Resource: The client uses the access token to access resources.

Practical Examples in Java/Spring Boot

Let's look at some practical examples of implementing OAuth2 in a Spring Boot application.

Setting Up OAuth2 in Spring Boot

First, add the necessary dependencies to your pom.xml:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Enter fullscreen mode Exit fullscreen mode

Authorization Code Grant Example

Configure your application to use the authorization code grant type:

spring:
  security:
    oauth2:
      client:
        registration:
          my-client:
            client-id: your-client-id
            client-secret: your-client-secret
            authorization-grant-type: authorization_code
            redirect-uri: "{baseUrl}/login/oauth2/code/{registrationId}"
            scope: read,write
        provider:
          my-client:
            authorization-uri: <https://auth-server.com/oauth/authorize>
            token-uri: <https://auth-server.com/oauth/token>
            user-info-uri: <https://auth-server.com/userinfo>

Enter fullscreen mode Exit fullscreen mode

Securing Resources with OAuth2

Create a security configuration class to secure your resources:

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
            .authorizeRequests(authorizeRequests ->
                authorizeRequests
                    .antMatchers("/public").permitAll()
                    .anyRequest().authenticated()
            )
            .oauth2Login(withDefaults());
        return http.build();
    }
}

Enter fullscreen mode Exit fullscreen mode

Client Credentials Grant Example

Configure your application to use the client credentials grant type:

spring:
  security:
    oauth2:
      client:
        registration:
          my-client:
            client-id: your-client-id
            client-secret: your-client-secret
            authorization-grant-type: client_credentials
            scope: read,write
        provider:
          my-client:
            token-uri: <https://auth-server.com/oauth/token>

Enter fullscreen mode Exit fullscreen mode

Conclusion

OAuth2 provides a robust and flexible framework for securing access to resources in today's digital landscape. By understanding its architecture, key players, and grant types, developers can implement secure authentication and authorization in their applications. With practical examples in Java and Spring Boot, you can start leveraging OAuth2 to enhance the security of your applications and provide a seamless user experience.


Let’s connect!

📧 Don't Miss a Post! Subscribe to my Newsletter!
➡️ LinkedIn
🚩 Original Post
☕ Buy me a Coffee

Top comments (0)