APIs: What is OAUTH 2.0

OAuth 2.0 is an open standard for authorization that enables third-party applications to access a user's protected resources without the need for the user to reveal their credentials. It provides a secure and flexible way for a user to grant access to their resources, such as an email account or a social media profile, to a client application.

OAuth 2.0 provides a framework for authorization, but it does not define how the client application should access the protected resource. The client application must use the appropriate API or protocol provided by the resource server to access the protected resource.

The main components of OAuth 2.0 are the client application, the resource server, and the authorization server. The client application makes requests to the resource server on behalf of the user, using an access token obtained from the authorization server. The authorization server is responsible for issuing access tokens and for verifying the identity of the user and the client application.

OAuth 2.0 supports several grant types, including authorization code, implicit, password, and client credentials, which determine the flow and the information exchanged between the client application, the resource server, and the authorization server.

The steps involved in the OAuth 2.0 authorization code grant flow are as follows:

1. The user requests access to their protected resource by clicking on a "Login with OAuth" button or a similar mechanism on the client application.
2. The client application redirects the user to the authorization server with a request for authorization. The request includes the client ID, a redirect URI, the scope of the requested access, and the response type set to "code".
3. The user logs in to the authorization server and grants the requested authorization to the client application.
4. The authorization server redirects the user back to the client application with an authorization code in the query string of the redirect URI.
5. The client application makes a request to the authorization server's token endpoint to exchange the authorization code for an access token. The request includes the client ID, client secret, the authorization code, the redirect URI, and the grant type set to "authorization_code".
6. The authorization server returns an access token and a refresh token to the client application.
7. The client application uses the access token to make requests to the protected resource on behalf of the user.
8. If the access token expires, the client application can use the refresh token to obtain a new access token from the authorization server.

The steps involved in the OAuth 2.0 client credentials grant flow are as follows:

1. The client application requests access to the protected resource by sending a request to the authorization server's token endpoint.
2. The request includes the client ID, client secret, and the grant type set to "client_credentials".
3. The authorization server authenticates the client application and verifies that it has the necessary permissions to access the requested resources.
4. The authorization server returns an access token to the client application.
5. The client application uses the access token to make requests to the protected resource on its own behalf, without the involvement of a user.
6. If the access token expires, the client application can request a new access token using the same flow.

In this grant flow, the client application is not acting on behalf of a specific user, and does not need to interact with the user for authorization. Instead, the client is granted access to the protected resource based on its own credentials. This grant type is commonly used for server-to-server communication, where the client application is a backend service or an application that runs on a server.

In Le-man's terms

Steps involved in Oauth2.0 with grant_type = authorization_code

Ex. Get courses for a partiular user

1. User sign-in by hitting google authorization server and get authorization code: Get Authorization Code by clicking on login with Google button, provide credentials and get authorization code manually from url
2. Application will use this code to hit google resource server to get access_token, first name, last name, email: Get acess token by providing Query Params :Authorization Code, client_id, client_secret, redirect_uri, grant_type
3. Application grants acces to the user, by validating access token: Hit the api to get courses for the person: Make one get request with Access token as query param

Steps involved in Oauth2.0 with grant_type = client_credentials

Ex. get hotel suggestion after we book flight

1. Application will hit resource server to get access_token, first name, last name, email: Get acess token by providing Query Params :client_id, client_secret, scope, grant_type
2. Application grants acces to the user, by validating access token: Hit the api to get hotel list by sending the flight amount details: Make one get request with Access token as query param