Oauth 2.0 Explained in Simple Words, Basic Understanding

Oauth 2.0 — what is it?

  1. The client requests authorization from the resource owner.
  2. The client receives an authorization grant.
  3. The client requests an access token through identity verification with the help of the authorization server and authorization grant provision.
  4. The authorization server verifies the client by checking the authorization grant and, if it’s valid, issues an access token and refresh token.
  5. The client requests a secure resource from the provider and authenticates by presenting the access token.
  6. The provider checks the access token and, if valid, serves the request.

Why do we need a refresh token at all?

What are OAuth 2.0 advantages and disadvantages?

  • The access to the resources is realized via HTTP / HTTPS with the token indicated in the headers. This allows OAuth usage in almost any solutions: in mobile and desktop applications, on various sites, and even in browser plug-ins.
  • Capability to authorize a user.
  • Popularity — most companies use OAuth in their APIs.
  • Simplicity of implementation and a large amount of manuals and reference materials.
  • Availability of the ready-made solutions that can be changed to fit your needs.
  • There is no common format, as a result, each service requires its own implementation.
  • In the process of user verification, sometimes you have to make additional requests to get minimal user information. It can be solved with the help of jwt token, but not all services support it.
  • When a token is stolen, an attacker gains access to the secure data for a while. To minimize this risk a token with signature can be used.

Some words about JWT

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store