Explain OAuth (Open Authorization)
OAuth is an open authorization standard (not authentication, OpenID can be used for authentication). As a result, OAuth is not an authentication protocol. A delegation protocol, on the other hand, is used to communicate permission choices between web-enabled apps and APIs. It is extensively used to get user information approved by the user for websites, online services, and applications. So the user grants the services access to information, but you do not need to provide those services with your user credentials, such as passwords.
Applications that enable third-party service login typically request the user to authenticate themselves by providing options such as “Login With Facebook” or “Login With Google“, etc., allowing the user to use their credentials to login with the third-party service. As a result, the service provides the access token to the requesting application, proving the identity of the person seeking access. The token is then used to make requests to the end-desired user’s resources.
Working: Assume a person has previously registered for one website or service (OAuth only works using HTTPS). The user then begins a feature/transaction that requires access to a different site or service. The following occurs (very simplified):
- The first website uses OAuth to connect to the second website on behalf of the user, revealing the user’s confirmed identity.
- The second site creates a one-time token and a one-time secret that are specific to the transaction and parties involved.
- The first site sends this token and secret to the client software of the beginning user.
- The request token and secret are presented to the authorization provider by the client’s program (which may or may not be the second site).
- If the client has not previously authenticated with the authorization provider, he or she may be prompted to do so. Following authentication, the customer is prompted to authorize the authorization transaction with the second website.
- The access token is sent by the first website to the second website as proof of authentication on behalf of the user.
- The second website allows the first website to visit its site on the user’s behalf.
OAuth is not the first authentication/authorization mechanism to act in this manner on the end-behalf. User’s In reality, several authentication systems, most notably Kerberos, operate in a similar manner. What makes OAuth unique is its ability to function across the web and its widespread usage. It was successful in terms of adoption rates when earlier initiatives had failed (for various reasons).
There are three components in OAuth mechanism:
- OAuth Provider: This is the OAuth provider like Google, Facebook, etc.
- OAuth Client: This is the webpage where we share or authenticate the use of our information. For example, GeeksforGeeks.com
- Owner: The user whose login validates information sharing.
Note: For “Login/Sign Up with Google” on a web app, OAuth may be enabled using the Google Console.
- OAuth 2.0 Client ID may be obtained via the Google API Console.
- Then, to use the API, obtain an access token from the Google Authorization Server.
- Send the request to an API along with the access token.
- If you need more time, get a Refresh token.