After few days of confusion around this topic, I finally decided to put together my understanding about Oauth2 and OpenId Connect. This may help give you a basic understanding and overview of the basic terminology and flow.
Thanks to Nate Barbettini for his wonderful sessions on Oauth and OIDC. One sample url below -
https://www.youtube.com/watch?v=996OiexHze0
**Some of the diagrams in this document are from Nate's video
To start with, would like to mention couple of key things around OAuth and OIDC.
- OAuth is an authorization protocol and not recommended to directly use for Authentication.
- OIDC / OpenId Connect is an identity layer around OAuth to support authentication flow
Typical OAuth2.0 Flows -
- Authorization Code Flow (Involves front-end and back-end)
- Implicit Flow (purely client side)
- Resource Owner Password Credentials
- Client Credentials (purely server-side)
Will try to elaborate on the Authorization Code Flow and Implicit Flows in the next sections.
OAuth2.0 Authorization Code Flow
Below is a simple example of OAuth2.0 authorization code flow, with all the bold lines indicating the front-end flow and the dotted lines indicating the back-end server side invocations.
The flow also introduces some of the key terminology of OAuth protocol (Terminology in Blue and Bold). Flow Description -
- Client, which is the an entry point to the flow (eg: web browser), initiates authorization call to an Authorization server.
- As a part of Authorization request, a redirect uri (uri to be redirected after successful authorization, response type (whether the request is for a auth code or identify token, etc.) and scope of the data to be allowed with the authorization code are specified.
- Authorization server verifies the customer and redirects to a consent window, prompting the Resource Owner (end user) to review and provide consent for the server/application being used (eg: Yelp in this example) to access the profile and contacts.
- Once the resources owner provides the consent, the authorization server, redirects the request to the redirect uri/callback url with Authorization Code in response.
- The callback url typically initiates a process on server, which can use the authorization code to exchange for the scoped data.
- The server does exchange the Authorization code with the Authorization server to get the Access Token, which is required to query for the required data. This data exchange uses a secret key know to the back-end server and authorization server only so as to ensure the security of the application.
- Using the access token provided by Authorization server, the back-end server, queries the Resource Server (which is the source of Resource Owner's data) for relevant data.
Samples based on Google Authorization Server.
Authorization Request -
https://accounts.google.com/o/oauth2/v2/auth?
scope=profile&
access_type=offline&
include_granted_scopes=true&
response_type=code&
state=state_parameter_passthrough_value&
redirect_uri=https%3A//oauth2.example.com/code&
client_id=client_id
Authorization Code Response -
https://oauth2.example.com/auth?code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7
Exchange Request for Access Token -
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=https%3A//oauth2.example.com/code&
grant_type=authorization_code
Sample Token Response -
{
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in": 3920,
"token_type": "Bearer",
"scope": "https://www.googleapis.com/auth/drive.metadata.readonly",
"refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
}
Sample Request to Resource Server (Google Drive in this case) -
GET /drive/v2/files HTTP/1.1
Host: www.googleapis.com
Authorization: Bearer access_token
Detailed integration steps for a range of programming languages here - https://developers.google.com/identity/protocols/oauth2/web-server
