OAuth History and Structure

-

 OAuth, or open authorization, is a widely adopted authorization framework that allows you to consent to an application interacting with another on your behalf without having to reveal your password.

The main purpose of this protocol was to enable users to define user credentials to a central system/application (for example, Google) and to enable other applications using this protocol to perform relevant transactions using only the necessary information of the users.

In this way, ,OAuth 2.0 was filled the missing Authorization part of the OpenID protocol with a token based structure. Then, Later an identity layer called OIDC (OpenID Connect) developed on the OAuth 2.0 Framework was added and thus Authentication processes were defined within a standard.

OAuth 2.0 Structure

OAuth 2.0 Structure

In the above picture, you can see the base structure of OAuth 2.0.


  • In the most basic sense, when we as a user (Resource Owner) want to access our own data, we enter the relevant website (Client) and send a request to the relevant URL. The relevant website communicates with the Authorization Server to query whether we have access to that resource. As a result, the relevant server indicates that we have authorization. We reach the information we want to access as a result that returned by the Resource Server.

  • OAuth 2.0 offers different types of Authorization Flows according to different usage conditions and these flows are named as follows.
    • Authorization Code Flow
    • Implicit Flow
    • Resource Owner Password Credential Flow
    • Client Credential Flow



1-) Authorization Request

Authorization Request

  • If we examine the related request, we can see that we passed a query parameter named "client_id". This "client_id" represents our application defined within the OAuth 2.0 protocol. In other word, it's a value that identifies the relevant application. The "scope" parameter specifies the scope of the relevant authorization. In other words, the user is only allowed to see the relevant information in the resource and profile scope above. User can't access any other part of the application (e.g. delete contact) by using the generated token.


  • "Redirect_uri" represents the URL where the application we are using will get and use the relevant token.


  • The most important parameter here, the "response_type" parameter, shows which flow the request will be made with. (“code” for Authorization Code Flow)


2-) Authorization Response

After the Authorization Server ensure that the relevant request is valid and in the correct format as well, it sends a GET request with the Authorization Code to the relevant callback url (redirect_uri) specified in the request.

Authorization Response

3-) Token Request

After obtaining the Authorization Code, a token request is made by using the relevant Authorization Code to obtain a Access Token. (Token exchange => Authorization Code ↔ Access Token)

Token Request

  • As can be seen in this request, Authorization Code is specified as the grant_type and if this request is successful Authorization Server redirects us to the route specified in the "redirect_uri" parameter.

4-) Token Response

If the "Token Request" we made in the third step is successful, a similar response returns as below and can be used by the Client (the application we want to use).

Token Response

  • Now, with this "access_token" the user can access its own data from Resource Server through the Client.

  • Here, if the "refresh_token" is also returned as a result of the request, when the "access_token" expires, a request can be made to renew the related "access_token" with this token

Comments

Post a Comment

Popular posts from this blog

Email Sending through O365 using OAuth Protocol

-
  Microsoft Office365 EWS servers have been extended to support authorization via the industry-standard OAuth 2.0 protocol. Using OAUTH protocol, user can do authentication by Microsoft Web OAuth instead of inputting user and password directly in application Microsoft / Office 365 OAuth + EWS We can use the OAuth authentication service provided by Azure Active Directory to enable our application to connect with IMAP, POP or SMTP protocols to access Exchange Online in Office 365. To use OAuth with our application we need to register application on Azure Active directory and other steps also we need to do to get the access token back. Below are the steps   To use Microsoft/Office365 OAUTH in your application, you must create an application in  https://portal.azure.com . Sign into the Azure portal using either a work or school account or a personal Microsoft account. If your account gives you access to more than one tenant, select your account in the top right corn
Read more

IISRESET vs App Pool Recycling ?

-
Image
 I think most IIS administrators know IISRESET command, and why they use it. One of possible reasons can be to restart IIS services to initialize web applications, or to apply some changes of applications & IIS settings .There’re just a few conditions those need your IISRESET command. In most situations, you don’t need this. I have a concern if you always run this command for applying any changes, or release system resource – memory – regularly, or frequently. Because it’s much more cost than what you really need to take – there’re side effects Recycling App Pool’ has been introduced from IIS6 in Windows2003. It’s designed to restart only application pools(=worker processes). It can be done in a command prompt(run ‘IISAPP /?’ in a command prompt for details), as well as in the IIS manager What IISRESET does? When you run IISRESET, many things will happen. In order to understand them, I think I need to show you how IIS looks like – about IIS core components. The below shows you role
Read more

Deploy .Net6.0 Web api with docker

-
Image
  What is Docker? Docker is a containerization platform, meaning that it enables you to package your applications into images and run them as “containers” on any platform that can run Docker. It negates the classic: “It works on my computer” argument as Docker images contain everything needed for the app to run. Are Containers the same as Virtual Machines? They are similar, but not the same. In short: Virtual Machines provide OS Level Virtualization Containers provide App Level Virtualization This concept is depicted below: Why Would You Use it? In short you would use Docker, (and hence containers), for the following reasons: Portability.  As containers are self- contained  they can run on any platform that runs Docker, making them easy to stand up and run on a wide variety of platforms. Scalability.  With the use of additional “orchestration” you can spin up multiple container instances to support increased load. Performance.  Containers generally perform better than their VM counterp
Read more