DEV Community

Milan Karajovic
Milan Karajovic

Posted on • Edited on

๐—ข๐—”๐˜‚๐˜๐—ต๐Ÿฎ.๐Ÿฌ โ€” ๐—ฆ๐—ถ๐—บ๐—ฝ๐—น๐—ฒ, ๐—ณ๐˜‚๐—ป๐—ป๐˜† ๐—ฒ๐˜…๐—ฝ๐—น๐—ฎ๐—ป๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ณ๐—ผ๐—ฟ ๐—ฒ๐˜ƒ๐—ฒ๐—ฟ๐˜†๐—ฏ๐—ผ๐—ฑ๐˜†

#oauth

๐—ข๐—”๐˜‚๐˜๐—ต ๐Ÿฎ.๐Ÿฌ ๐—ถ๐˜€ ๐˜๐—ต๐—ฒ ๐—ถ๐—ป๐—ฑ๐˜‚๐˜€๐˜๐—ฟ๐˜†-๐˜€๐˜๐—ฎ๐—ป๐—ฑ๐—ฎ๐—ฟ๐—ฑ ๐—ฝ๐—ฟ๐—ผ๐˜๐—ผ๐—ฐ๐—ผ๐—น ๐—ณ๐—ผ๐—ฟ ๐—ฎ๐˜‚๐˜๐—ต๐—ผ๐—ฟ๐—ถ๐˜‡๐—ฎ๐˜๐—ถ๐—ผ๐—ป, ๐—ฒ๐—ป๐—ฎ๐—ฏ๐—น๐—ถ๐—ป๐—ด ๐—ฎ๐—ฝ๐—ฝ๐˜€ ๐˜๐—ผ ๐—ฎ๐—ฐ๐—ฐ๐—ฒ๐˜€๐˜€ ๐˜‚๐˜€๐—ฒ๐—ฟ ๐—ฟ๐—ฒ๐˜€๐—ผ๐˜‚๐—ฟ๐—ฐ๐—ฒ๐˜€ ๐˜€๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ๐—น๐˜† ๐˜„๐—ถ๐˜๐—ต๐—ผ๐˜‚๐˜ ๐˜€๐—ต๐—ฎ๐—ฟ๐—ถ๐—ป๐—ด ๐—ฝ๐—ฎ๐˜€๐˜€๐˜„๐—ผ๐—ฟ๐—ฑ๐˜€. Itโ€™s what powers โ€œLogin with Google/Facebookโ€ and similar flows, giving apps limited, consented access to your data.

Goal Implement Security OAuth2 for an application.

What is our point of the consideration?

ยท Resource Owner: User which uses our public client application

ยท Public Client: Public client application

ยท Resource Server: Server which hold protected data

ยท Resources: Protected data

ยท Authorization Server: Server which provides access tokens for security communication

Press enter or click to view image in full size

OAuth2.0 Scheme Explanation

(1) I want to access my resources

(2) Tell the Authorization Server that you are fine to do this action

(3) (3.1) & (3.2) Hello Authorization Server, please allow the client to access my resources. Here are my credentials to prove my identity and code challenge generated by client application along with client id.

(4) Hey Client, User allowed you to access his resources. Here is AUTHORIZATIN CODE.

(5) Here is my client id, code verifier, AUTHORIZATION CODE. Please, provide me a token.

(6) Here is the toke from Authorization Server

(7) Hey Resource Server, I want to access the user resources. Here is the token from Authorization Server

(8) Resource server validate token on the Authorization Server

(9) Authorization server validate token

(10) Hey Client, your token is validated successfully. Here are the resources you requested.

Common formats of OAuth Tokens

Access Token

  • An access token is a credential issued by the Authorization Server
    after a client successfully authenticates and obtains authorization.

  • It represents the clientโ€™s permission to access protected resources on
    a Resource Server (API)

  • Tokens are usually short lived to reduce risk if compromised.

Opaque and JWT token

  • Opaque Tokens (Random strings with no inherent meaning)

  • JWT (JSON Web Token) Tokens (Self contained, digitally signed tokens that carry claims)

Comparison JWT and Opaque Token

Which to use?

  • Use opaque tokens when revocation and centralized control
    are critical (internal enterprise systems, sensitive data).

  • Use JWT tokens when performance and scalability matter
    (public APIs, microservices)

Major OAuth providers

๐Œ๐ข๐ฅ๐š๐ง ๐Š๐š๐ซ๐š๐ฃ๐จ๐ฏ๐ขฤ‡

๐๐จ๐ซ๐ญ๐Ÿ๐จ๐ฅ๐ข๐จ: https://milan.karajovic.rs

๐…๐จ๐ฅ๐ฅ๐จ๐ฐ ๐ฆ๐ž on ๐‹๐ข๐ง๐ค๐ž๐๐ˆ๐ง: https://lnkd.in/e3cH854Q

Top comments (0)