oauth-basic
OAuth
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and DigitalOcean. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.
OAuth Roles
In our case, the application we are building would be the third party application. Facebook would be our HTTP service and the end-user the resource owner. These three fall under the following OAuth roles:
- Resource Owner/End user(provide user/password) - This is the user authorizing a third-party application to access certain protected resources from a resource server(facebook).
- Client - This is the third party application making protected resource requests to a resource server on behalf of the resource owner(end user).
- Resource Server - Hosts the protected resources e.g user profile(provided by facebook)
- Authorization Server - Responsible for authenticating the resource owner and providing access token to clients.(provided by facebook as well)
In order for successful user authentication to happen, a series of steps need to be followed:
- The client, (which is our application in this case), requests authorization(ask end-user input user/password) from the end-user.
- Once the end-user authorizes the client, an application grant is issued.
- Our client then requests an access token from the authorization server using the authorization grant.
- The authorization server validates the grant and authenticates the client. If the two processes are successful an access token is granted to the client, client only has the access token.
- Our client then uses the access token to request the protected resource.
- The resources server then validates the access token and if successful, the requested protected resources are shared with the client.
Application Registration
Before using OAuth with your application, you must register your application with the service(facebook, github etc). This is done through a registration form in the “developer” or “API” portion of the service’s website, where you will provide the following information (and probably details about your application):
- Application Name
- Application Website
- Redirect URI or Callback URL
The redirect URI is where the service will redirect the user after they authorize (or deny) your application, and therefore the part of your application that will handle authorization codes or access tokens.
Client ID and Client Secret
Once your application is registered, the service will issue “client credentials” in the form of a client identifier and a client secret. The Client ID is a publicly exposed string that is used by the service API to identify the application, and is also used to build authorization URLs that are presented to users. The Client Secret is used to authenticate the identity of the application to the service API when the application requests to access a user’s account, and must be kept private between the application and the API.
OAuth scopes
Scopes let you specify exactly what type of access need before third-part application gets the access token. Scopes limit access for OAuth tokens, When facebook is responding to your OAuth request, the requested scopes will be displayed to them when they are asked to approve your request, you can know what scopes that third-part application tries to get.
OAuth does not define any particular values for scopes, since it is highly dependent on the service’s internal architecture and needs.