DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Data
  4. OAuth 2.0 Authorization Code Grant

OAuth 2.0 Authorization Code Grant

OAuth 2.0 provides a number of useful features when it comes to authentication and authorization mechanisms. Let's take a closer look at the authorization code grant.

Alex Staveley user avatar by
Alex Staveley
·
Aug. 08, 18 · Presentation
Like (4)
Save
Tweet
Share
12.44K Views

Join the DZone community and get the full member experience.

Join For Free

OAuth 2.0 provides a number of security flows (or grant types) to allow an application access to user's data in another application. In this blog, we will look at the OAuth 2.0 grant: authorization code grant.

Firstly, we need to review a number of definitions:

  • Client: This is the application that the user is currently interacting with. For example, let's assume we are looking at the fictitious funky blogging site: www.myfunkyblog.com. The client wants to communicate with another application and retrieve something about the user from there. For example, they could want to retrieve their favorite photo! Let's assume the fictitious megaphotosharing.com as the service that the client wishes to access.
  • Client ID: This is an ID that identifies the client. It can be passed around openly in Web URLs, etc.
  • Client secret ID: This is a secret ID that only the client knows. This is kept server side and will be used in requests to the application for which access is sought. It cannot be passed around in Web URLs.
  • Resource owner: This is usually the human who is using the client application. The resource owner has data in another application (e.g. megaphotosharing.com) that the client (myfunkyblog.com) wishes to access. The goal is to facilitate that sharing without the need for the resource owner, a.k.a. the human to ever pass their megaphotosharing.com password to myfunkyblog.com. Note: the resource owner doesn't have to be a human, but, according to the OAuth spec, when it is a human, it can also be referred to as the end-user.
  • Resource Server: This hosts the protected resources of the resource owner that the client is interested in. So, this is the megaphotosharing.com server that has the resource owner photos that the myfunkyblog.com is also interested in.
  • Authorisation Server: The server, who issues a token to myfunkyblog.com after the resource owner has successfully authenticated and allowed myfunkyblog.com, obtains some of it from megaphotosharing.com. Sometimes, the authorization server and the resource server are effectively the same, but they don't have to be.
  • Access token: A special type of token is in the myfunkyblog.com authorization server, which gives megaphotosharing.com access to the protected resources. It will contain scope, lifetime, and other access attributes.

Use Cases

So, the use case is that the client (myfunkyblog.com) wants to access information about
the resource owner (the human) from another application — megaphotosharing.com.

Client Registration

The first thing that the client must do is register with the service (megaphotosharing.com),
providing its name, website, etc. The service will return a secret client code.
The client keeps this private and is responsible for ensuring that only it knows it. Usually,
it will encrypt and persist it in the client on the backend. The service will
also receive a client ID. Unlike the client secret, this is public and can be passed around
in URLs.

Flow

Now, let's get to the actual flow. The user is browsing around myfunkyblog.com and accesses a part of the site where myfunkyblog.com wants to know the end-user's favorite photo.

A pop-up screen appears to the end-user. This will have the following URL:

https://megaphotosharing.com/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read


Key parts of this URL:

  • megaphotosharing.com: This is the domain for the authorization server.
  • response_type=code: This is the required parameter used to enable the client and inform the authorization server the desired grant type. An alternative value would be the "token." This is for the implicit flow."Code" means that the client wants an authorization code, which will be returned after the resource owner logs in. This authorization code will be used in a subsequent request by the client.
  • client_id: This contains the required parameter used to identify the client. Remember: this is public and can be passed to and from a web browser.
  • redirect_uri: This is an optional parameter. It enables the client to dynamically specify the URL that the auth server should redirect to. In some flows, this isn't needed; there is only one redirect URI, and this is registered by the client with the service during client registration.
  • scope: This is an optional parameter. It specifies the level of access that the application is requesting. In this case, it is just a read. The auth server uses this to inform the user/resource owner what the client is trying to do.

Then, the user logs into megaphotosharing.com, who tells the user what the Client wants to do. If the user selects ok, megaphotosharing.com redirects to the redirect URI passed up.

https://myfunkyblog.com/callback?code=212132kjhkhj


Notice how the client ID is passed over the web in a URL, and the authorization code is passed back over the web.

The client, then, uses the returned authorization code, its client ID, client secret, and the grant type to make a POST request server-to-Server to get an Access Token. This happens all on the back end.

https://megaphotosharing.com/v1/oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code= 212132kjhkhj&redirect_uri=CALLBACK_URL


  • client id and client secret identify the client. This is a back-end request, and hence, it is okay to pass the client_secret, which would obviously never pass to or from the browser.
  • grant_type: This must be set to  authorization_code. As it indicates, the authorization code grant is the grant used to indicate the flow that the client is using — it can also be used by the server for the types of flows available. If the client was using the Client Credentials Grant, this value would be "client_credentials." If the client was using "Resource Owner Password Credentials Grant," the value would be "password."
  • code: 212132kjhkhj: The actual authorization code was returned from the initial authorization request from the authorization server. This is required.
  • redirect_uri: If the redirect_uri   was included in the authorization request, this value must be the same as the value used in that request.

The client, then, receives back an access token. It will look something like this:

{"access_token":"ACCESS_TOKEN","token_type":"bearer","expires_in":2592000,"refresh_token":"REFRESH_TOKEN","scope":"read","uid":1001013121222}


Now, it will use this to access some of the resource owner's resource data.

So What's the Big Deal?

  • There are obviously some big advantages for users not having to tell one website its password for another site.
  • This reduces the number of passwords a user needs to remember.
  • This also allows richer websites by allowing disparate applications to talk to each other.

Why Do People Find It Confusing?

There are a number of reasons why people find OAuth 2.0 confusing:

  • There are a few different flows or grants.  The authorization code grant is just one.  Sometimes, when you Google explanations for OAuth 2.0, you get explanations for different grants without making it clear what is and isn't being explained. Hence, this is why I put the authorization code grant in the title.  
  • Terminology.  I'll just speak for myself.  But, if I am reading quickly, I am likely to:
    •  Confuse "Client" with the end-user
    • Get confused between the resource server and the authorization server
  • Consistenty — a lot of places implement OAuth 2.0 or something very similar to OAuth, but they will refer to things differently along the way.  For example, go to quora.com and try to login to Google.  You are taken to: ?
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=917071888555.apps.googleusercontent.com&as=rdWeinbqWJbt6ChoW2f3Fg&destination=https%3A%2F%2Fwww.quora.com&approval_state=!ChRyQlhnbEYzai1xQTliNlNmTEVmNRIfZ3doM2hlRVIycGdiMEVBN1JaNXdOM085MERXLVVCWQ%E2%88%99ANKMe1QAAAAAW2i2to0SOyO2_w3k3O4gjwUKQLGNmZ2h&oauthgdpr=1&xsrfsig=AHgIfE8EzSxvWfzyxou0dwLDxv4GhD6e5g&flowName=GeneralOAuthFlow


There's noresponse_type in that URL. OAuth is an authorization spec.  It is usually used with an authentication spec, like Open Connect, but that is actually a separate spec. 

authentication security application End user Web Service Requests Flow (web browser) Use case Data (computing)

Published at DZone with permission of Alex Staveley, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Utilize OpenAI API to Extract Information From PDF Files
  • Top 5 Node.js REST API Frameworks
  • Explainer: Building High Performing Data Product Platform
  • RabbitMQ vs. Memphis.dev

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: