Most websites that users visit today have some sort of user authentication to access their services. Previously website providers would implement HTTP Basic Authentication where the user would be asked for a username and password through a form on the web page. The site would then use that information to log in as you. The client would receive an authenticated API key ID and a secret to then send to the server with each HTTP request.
What’s wrong with this?
Giving log in credentials to a third-party application or site can greatly compromise security. Once the credentials have been acquired they cannot be revoked. Also, there is no way to control how much user access these applications have in the system.
Enter OAuth. The idea behind OAuth is that you grant the application authorization to data while keeping authentication secure. This limits access to only information that is required which can be revoked at any time.
OAuth works through a series of steps. First the third party application requests a token with a secret from the provider. Once granted, the third party application has the user login to the provider with the token to grant the levels of access required. Once approved, the provider marks the token on their end and it can be used to access the API within the allowable scope. See the info-graphic below for a visual representation of this.
Implementation of this depends on the framework being used. I primarily use Java so I would choose the Spring security module within Spring Boot. For more information and a tutorial please see the link listed in resources.
That is all I have for my post this week. I hope you learned what OAuth is and how it works within an application. Feel free to like and comment the post below as I will greatly appreciate it.
Resources:
Spring Boot OAuth Tutorial:
https://spring.io/guides/tutorials/spring-boot-oauth2/
Sobers, R. (2018, August 30). What is OAuth? Definition and how it works. Inside Out Security. Retrieved September 12, 2021, from https://www.varonis.com/blog/what-is-oauth/.
Raible, M. (2017, June 21). What the heck IS OAuth? Okta Developer. Retrieved September 12, 2021, from https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth.
Paul, R. (2010, January 18). OAuth and OAUTH Wrap: Defeating the password anti-pattern. Ars Technica. Retrieved September 12, 2021, from https://arstechnica.com/information-technology/2010/01/oauth-and-oauth-wrap-defeating-the-password-anti-pattern/.
Top comments (1)
Great article
api7.ai/blog/apisix-supports-oauth... takes a deeper dive.