This blog post will steer you through the technicalities of OAuth 2.0 and how to make use of the resource sharing capabilities.
Authentication vs Authorization
First get to know what the most basic keywords related to OAuth means.
Authentication: The act of validating that users are who they claim to be.
Authorization: The process of giving the user permission to access a specific resource or function.
Implicit Grant
Password Credentials Grant Type
Client Credential Grant Type
Refresh Token
Authentication: The act of validating that users are who they claim to be.
Authorization: The process of giving the user permission to access a specific resource or function.
What is OAuth2.0???
With the increase in the use of the web applications for almost each and every task and almost all of these web applications require you to register yourself in order to receive the service they provide, it is quite troublesome and makes it impossible to remember each and every user ID and password details of all these web applications as humans. This is where OAuth2.0 come into play.
OAuth stands for Open-standard Authorization. It's a framework/protocol that allows third-party applications to obtain limited access to an HTTP service, on behalf of the resource owner or by allowing the third-party application to access on its own behalf. As for an example, You can give permission to you Instagram account to access your Facebook friend list, without having to give Instagram you Facebook password. OAuth reduces the risk of security breaches and keeps your data safe.
Before we move on to a sample application of OAuth let's look into the common terms used in OAuth2.0.
Before we move on to a sample application of OAuth let's look into the common terms used in OAuth2.0.
Roles
There are four type of roles in OAuth 2.0.
- Resource Owner: An entity capable of granting access to a protected resource (End user).
- Client: An application making protected resource requests on behalf of the resource owner and with its authorization.
- Resource Server: The server hosting the protected resources, capable of accepting and responding to protected resource requests using access tokens.
- Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.
OAuth Grant Types
Authorization grant is a credential representing the resource owner's authorization used by the client to obtain an access token.
According to the OAuth2.0 specification there are five types of grants.
Authorization Grant
Authorization Grant
- The client application directs the resource owner/end user to an authorization server.
- The authorization server authenticates the resource owner.
- Then the authorization server returns the authorization code to the client application.
- The authorization server is used to obtain the authorization code.
Implicit Grant
- The client application is issued with a direct access token without issuing the authorization code.
- The authorization server does not authenticate the client application.
Password Credentials Grant Type
- The resource owner provides the username and password directly to the client application.
- Used when the client application can be fully trusted.
Client Credential Grant Type
- Used by the client application to obtain an access token outside of the context of a user.
Refresh Token
- Used by client application to exchange a refresh token for an access token when the access token has expired.
Endpoints
Mainly there are three types of protocol endpoints in OAuth2.0.
- Authorization Endpoint: Used by the client to obtain authorization from the resource owner via user-agent redirection.
- Token Endpoint: Used by the client to exchange an authorization grant for an access token, typically with client authentication.
- Redirection Endpoint: Used by the authorization server to return responses containing authorization credentials to the client via the resource owner user-agent.
Here, I have implemented a sample application which requests the users to allow consent to use the Facebook Login.
Highlevel Flow of the Protocol in the Sample Application
Steps
Registering the Application
Go to the Facebook for developers website through the link Facebook for Developers
Create an application by providing a name for the application.
Then select the 'Facebook Login' set up.
Next, add the endpoint URL used for authentication to do validation or the redirected URL setting on Facebook because OAuth will work only for a specific address.
Thereafter, go to basic settings and copy/note down the Client ID/App ID and the Client Secret.
Then select the 'Facebook Login' set up.
Next, add the endpoint URL used for authentication to do validation or the redirected URL setting on Facebook because OAuth will work only for a specific address.
Thereafter, go to basic settings and copy/note down the Client ID/App ID and the Client Secret.
Implementing the Sample Application
In the application.yml file we add the above details to send a request to Facebook to get the authorization code to the URI: https://www.facebook.com/dialog/oauth along with the parameters
Client Id - Your application Client ID
Client Secret - Your application Client Secret
OauthFacebookApplication class which extends WebSecurityConfigurerAdapter
Get ajax call to our endpoint (/loggeduser)
Accessing the URL Endpoint
Go to http://localhost:8080/. Thereafter the the flow will be as follows;
If your not already logged on to Facebook, it will prompt you to login.
Else, it will straightaway redirect you to the following page which asks your consent to continue.
Once you allow to continue, the sample application will be redirected to the rediectUri provided in the Facebook application.
As you can see we have been able to access the User name of the Facebook account.
The complete implementation of the sample application can be found in my Github repository
Great post! Continue with your Tech enthusiasm
ReplyDeleteThank You!
ReplyDelete