OAuth2 With In-Memory and PostgreSQL Database Example, Part 1
In the first of this two-part article, we look at the roles involved in authentication a request via OAuth, the protocol flow, and how authorization is granted to a user.
Join the DZone community and get the full member experience.Join For Free
Nowadays, security is very important for everywhere like working with small and huge applications, live projects, banks, small and huge companies, schools, etc...
I will go through and discuss security in small applications and live projects in this article.
Today, I am going to explain the OAuth 2 life cycle with a framework as per my understanding. I will explain the basics of OAuth 2 with the example of a Spring Boot CRUD operation with In-memory and a Postgres SQL database.
- Overview of OAuth 2
- Introduction to OAuth2 Authentication
- Why Use OAuth2?
- OAuth2 Architecture
- Advantages and Disadvantages of OAuth2
- Authorization Code Grant Requests and Responses
- Implicit Grant Requests and Responses
- Resource Owner Password Credential Grant Requests and Responses
- Client Credential Grant Requests and Responses
Now let's start discussing the oAuth2 framework in depth.
1) Overview of OAuth2 Authentication
Introduction to OAuth2
OAuth2 is an open authentication and authorization protocol which enables us to access data from another application. It works by accessing user authentication to service the app that host's the user account and authorizes third-party applications to access the user account.
OAuth 2 was developing by the IETF (Internet Engineering Task Force) OAuth working group and was published in October 2012.
Why Use OAuth2?
OAuth2 allows the user to read data from one application while working in another application. OAuth2 provides an authorization flow for web, desktop, and mobile applications. OAuth2 is a server-side web application that uses authorization codes and does not interact with user credentials.
It allows us to access user resources without sharing passwords.
Advantages of OAuth2
It is a flexible protocol that relies on SSL to save user access tokens.
It is useful for cryptography protocols.
It is used to keep user data safe on SSL.
It allows limited access to user data and allows the user to access their data, even when authorization tokens have expired.
It gives the user the power to share their data without having to release personal information.
It is easier to implement and develop small and large applications.
It provides strong authentication and authorization.
Disadvantages of OAuth2
Users can be tracked easily.
If your site or application is connected to a central hub, and that central hub account is hacked, this could lead to serious effects across several sites instead of just one.
2) OAuth2 Roles
OAuth defines the following roles for users and applications:
- Resource Owner
- Client Application
- Resource Server
- Authentication Server
The resource owner is the user who authorizes the application to access their account. The application's access to a user's account is limited to the scope of authorization granted, i.e. read and write access. Thus, the resource owner is an entity capable of granting access to a protected resource. When the resource owner is a person, they are called the end-user.
The client is an application which requests resources to perform an action on behalf of the resource owner, thus the client application is the entity that wants to access a user's account. Before clients do something, it must be authorized by the user and the authorization must be validated by the API. Clients can be an application, a user, a mobile device, etc.
The resource server is an API server that can be used to access the user's information. It has the power of accepting and responding to resource requests with the help of access tokens.
The authentication server is the server for authorizing the client application to access data or resources that belong to the resource owner. It gets permission from the resource owner and distributes the access token to the client to access the resource that is hosted by the resource server.
3) Abstract Protocol Flow
Now, let's see discuss how the above roles interact with each other.
Here is a more detailed explanation of the steps in the diagram:
- The client application requests access to the service/resource from the resource owner. The authorization request can be made directly to the user or indirectly via the authentication server as an intermediary.
- If the user authorized the request, a client application receives an authorization grant.
- The client application requests an access token from the authentication server by presenting authentication of its identity and the authorization grant.
- The authentication server receives a request for the access token of the client. After receiving the request, the authentication server authenticates the client and validates their identity. If authentication is granted and the client is valid, then the authentication server sends an access token to the client application. Authorization is then complete.
- After receiving an access token from the authentication server, the application requests the resource from the resource server and presents the access token for authentication.
- Resource servers receive the access token and verify whether the token is valid or not. If the token is valid, then the resource server serves the resource or data to the client.
4) Application Registration
Before your application uses OAuth, you must register your application with the service. After opening OAuth's website, go to the developer or API portion of the site. Here, you give information about your application like:
- Application Name
- Application Website
- Redirect URL or Call back URL
The redirect URL represents the service that will redirect the user after they authorize or deny your application and, therefore, the part of your application that will handle authorization codes or access tokens. Once your application is registered, the service will send client credentials in the form of a client identifier and client secret.
The Client ID is a string that is used by service APIs to identify your application and to authorize URLs that are represented to users.
The Client Secret is used to authenticate the identity of your application to the service API when the application requests access to a user's account and must be kept private between the application and the API.
5) Authorization Grant
The authorization grant is given to a client application by the resource owner, in cooperation with the authentication server associated with the resource server. OAuth2 gives four different types of authorization grants. Each type has different security characteristics. The authorization grant types are:
- Authorization Code: used with server-side applications.
- Implicit: used with mobile and web applications.
- Resource Owner Password Credentials: used with trusted applications.
- Client Credentials: used with applications' API access.
Now we will describe grant types in more detail and their use cases and flows, in the following sections.
I will explain the authorization code block via a diagram and step-by-step information, which is mentioned in the diagram, which shows the role of the authorization code in OAuth2. Now let's start to discuss the authorization code:
- The resource owner (user) sends a request to access the client application.
- The client application gives a response to the user to login to the client application via the authorization server.
- After receiving a login request from the client application, the resource owner (user) sends a login request via the authorization server.
- The authorization server sends a request for the client ID and client secret back to the user via a redirected URI and OAuth code. This way, the authorization server easily knows which resource is accessed by the user based on the client ID.
- The resource owner receives a redirected URI and sends the client ID and client secret to the client application.
- The client application gets the client ID and secret and sends it to the authorization server.
- The authorization server validates the client ID and secret to check whether or not it is valid. If it is valid, then the authorization server generates an access token and sends it to the client application.
- After receiving an access token, the client application sends a success message to the resource owner.
- Now successfully logged in, the resource owner accesses the client application and sends a request to get more data/details/resources from the client application.
- The client application can now use the access token to request resources from the resource server. The access token serves as the authenticator of the client and resource owner (user) and provides authorization to access the resources.
- The resource server receives a request and access token from the client application. After sending any data/details/resources, the resource server verifies the access token and sends it to the authorization server to check whether or not the access token is valid. After receiving a valid response back from the authorization server, the resource server returns the data/details/resources which the client requested.
- The client application receives a response from the resource server and shows the resources to the user.
- Now the user can see the resources from the client application.
Implicit Authorization Grant
An implicit authorization grant is similar to an authorization code grant, except the access token is returned to the client application after the user has finished the authorization. The access token is thus returned when the user agent is redirected to the redirect URI.
This, of course, means that the access token is accessible to the user agent, or native application participating in the implicit authorization grant. The access token is not stored securely on a web server.
Furthermore, the client application can only send its client ID to the authorization server. If the client were to send its client secret as well, then the client secret would have to be stored in the user agent or native application too.
Implicit authorization grant is mostly used in a user agent or native client application. The user agent or native application receives the access token from the authorization server.
Here is a diagram showing how implicit authorization grants work, which describes the workflow of said authorization process:
Resource Owner Password Credentials
The resource owner password credential authorization grants method works by giving the client application access to user credentials. With the resource owner's password credentials grant type, the user provides their service credentials (username and password) directly to the application, which uses the credentials to obtain an access token from the service.
This grant type should only be enabled on the authorization server.
Using the resource owner password credentials requires a lot of trust in the client application. You do not want to type your credentials into an application you suspect might abuse it.
The resource owner password credentials would normally be used by user agent client applications or native client applications.
Password Credential Flow:
After the user gives their credentials to the application, the application will then request an access token from the authorization server. The POST request might look something like this:
If the user credentials check out, the authorization server returns an access token to the application. Now the application is authorized.
Client Credential Authorization Grant
The client credential authorization is for the situations where the client application needs to access resources or call functions in the resource server, which are not related to a specific resource owner (user).
Client Credentials Flow
The application requests an access token by sending its credentials, its client ID, and client secret, to the authorization server. An example POST request might look like the following:
If the application credentials check out, the authorization server returns an access token to the application. Now the application is authorized to use its own account.
Tune back in tomorrow when we'll go over client types, endpoints, and requests and responses!
Opinions expressed by DZone contributors are their own.