Oauth - What is it? What is its purpose?

Asked

Viewed 21,537 times

41

  • What is Oauth?
  • What is its purpose?
  • What does he do?
  • There are other alternative technologies to it?
  • It’s not really a database access from another domain that happens. I believe that for this they use a technique called oAuth. http://www.diogomafra.com.br/2010/09/como-funciona-autenticacao-oauth.html

  • 2

    Whoever voted negative, could you please tell me why?

2 answers

60


What is Oauth 2.0 and its usefulness?

Oauth is a web API authorization protocol designed to allow client applications to access a resource protected on behalf of a user.

When we develop a web API we keep in mind that it is consumed by client applications. The idea is that the business logic itself and the application data can be accessed through a web API. What the end user will actually use, on the other hand, is an example of client application.

An example of this would be with single-page applications (SPA’s) built in Javascript, or else a mobile app built with android.

In addition, client applications are not necessarily just applications that interact directly with the end user. Any application that for its operation needs to use the built web API is a client application of this API.

In this sense, when we use web Apis it is common and necessary to consider that one or more applications will need to interact with this API. More than that, it is common that third party need to use these API’s.

If there are protected features in the API, that is, they must have controlled access and can only be accessed by a specific user, then it is necessary to consider how to take into account these various client applications, because after all, the user will not access the resource directly, but will actually delegate this task to a client application.

An initial option would be for the user to specify in each client application their login data (such as login and password), but this has some problems. Some of these problems are listed on own specification, which are below in free translation:

  1. Third-party applications need to save user credentials for future use, typically a clear text password.

  2. Servers need to support password authentication despite the security holes inherent in this type of authentication.

  3. Third-party applications gain very broad access to the user’s protected resources, leaving the user without the possibility of restricting the duration of such access or limiting access to a subset of resources.

  4. Users cannot revoke access to a third-party application in an individualized manner without revoking access to all third-party applications, and to do this it is necessary to exchange the password.

That’s why all Oauth is needed to safely and coherently authorize in the context of web Apis.

What Oauth 2.0 does?

Oauth, being a specification, describes in detail a way to treat all the problems considered. It establishes definitions such as:

  • Resource Owner: the entity that is able to control access to a protected resource. It is the "owner of the resource", but it is not always a person. When he is a person he is the end user.

  • Resource Server: the server that has the protected resources and receives the requests to access these resources.

  • Authorization Server: is a server that generates access tokens to allow the client to access the resources that Resource Owner allowed with the level of access that Resource Owner specified.

  • Client: is the application that accesses the resources on the Resource server on behalf of the user. The client can be any type of application that does this.

With these settings, Oauth establishes that when a client application needs to access a protected resource on the Resource server it must obtain an "access token". This "access token" is a token containing the information that characterizes the access that Resource Owner has allowed to protected resources.

Note that this solves the specified issues because: the client does not need the credentials of the Resource Owner, only needs a token generated by Authorization server, which is a reliable application. Through the token, Resource Owner can specify a custom access, and allow the client access only to a subset of the protected resources. In addition, it is easy to revoke access as it is enough to invalidate the token granted, not to mention that tokens have a specific lifetime and cannot be used forever.

Besides everything else, Oauth specifies flows. Each stream is for a particular customer interaction situation, Authorization server and Resource server. These flows are detailed and say all the necessary steps to obtain the desired access in that case. To see these streams in detail it is recommended to look at specification.

There are alternatives?

There are other ways to manage authorization in web API’s like the traditional way of using user and password, but as already explained, these more traditional methods tend to have some problems that Oauth was thought to solve.

  • 1

    I gave you the reward without wanting to make a mistake, but you can rest assured that once I’ve completed 1200 points, I’ll offer you another question reward to give you. 'Cause right now the minimum is 200. I’m like, oh, my God I’m slow and distracted not to notice this

  • To install just download the dll extension and ready?

  • 1

    @Jose, it’s not really like that. Oauth is a specification, it’s something abstract. In general there are libraries to help you implement Oauth in your application. For example, in ASP.NET Core there is Identity Server 4, but it is not the only option. It is important to understand this distinction: Oauth is a specification, a contract that says what should be done, what flows should be present and how everything should happen, and there are the concrete implementations that should follow the specification.

  • Cool your reply @Leonardo, I left my +1 a long time ago. Want to earn another 200 points? Help me here: How to implement google authorization in Asp.net core? :)

24

What is Oauth?

Oauth is a widely used authorization protocol in scalable web applications. The current version is 2.0 and uses tokens to access your data on another system and probably in another database.

You have the documentation and examples on the official website: link

What use is it?

Have you ever thought about how to access your Google or Facebook account in Android games? Well, it’s using this protocol.

It enables other systems to access some data without you having to log in with user and password or enter your data always, returning authorization tokens.

How to use?

In the official documentation there are some examples in several languages, you can create clients to consume data from Facebook, for example, or create an authorization server for other systems to consume it.

Check some documentation about the implementation:

Facebook

Google

(Optional) How can I apply to my PHP script?

It depends on what you need to do. I, for example, create some apps with login through Facebook and Google, you can do this. In addition to being able to implement Paypal, pay, and other systems using it.

  • A question, it takes information from servers in addition to data with user permission?

  • Yes. It gives permissions for you to access various information. For example: on Facebook you can access the list of friends, registration data etc.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.