DEV Community

Cover image for OAuth2.0
arimayuji
arimayuji

Posted on

OAuth2.0

Hello! This is my first post, and it marks the beginning of a very important journey for me. I’m learning that writing about what I study is one of the best ways to consolidate new concepts. So, let’s dive together into the fascinating world of OAuth 2.0!

What is OAuth 2.0?

Contrary to what many initially think, OAuth 2.0 is not an authentication method, but rather an authorization protocol. This means it allows a service (like a website or app) to access resources on another service on your behalf without having to share your sensitive credentials, such as passwords.

For example, have you ever logged into a third-party app using your Google account? Here’s how it works, simplified:

  • Access Request: When you choose to register using your Google account, the third-party site requests access to Google.

  • Authorization: You authorize the third-party app to access certain information from your Google account.

  • Access Token: After authorization, Google issues an access token to the third-party site. This token acts as a secure credential that allows the site to access your approved information for a limited period, usually it is in JWT format ( JSON Web Token). If you want to know more about JWT, I can create a post about it.

  • Refresh Token: After authoriztion , Google also issues a refresh token to the third-party site. This token will be used to refresh the validation of the access token.

Behind the Scenes

When the third-party site receives the access token, it uses this token to request your information from Google’s resource server. The server verifies the token and, if valid, provides the requested information to the site, and the refresh token acts to revalidate your access token to avoid you to do all this process everytime, but remember that the refresh token isn’t forever!

The token itself is a key element — it is not a digital certificate but a secure string that grants temporary access. This ensures that your password remains private and reduces the risk of unauthorized access.

Importance of Scope

Defining the scope of access is crucial. The scope specifies exactly what information the third-party app is allowed to access and what actions it can perform with that access. For example, if you authorize an app to access your basic profile information, it shouldn’t be able to read your email unless explicitly permitted by the scope of authorization.

Visual Example

Image description
A diagram that describes the OAuth2.0 proccess behind the scenes

Conclusion

Ihope this post has helped clarify what OAuth 2.0 is and how it works. It’s a fundamental concept in internet security today, facilitating a smooth and secure user experience by separating the authorization process from the user’s primary credentials.

Top comments (1)

Collapse
 
ra_jeeves profile image
Rajeev R. Sharma

Congratulations on your first post 👏. Wish you all the best in your journey.