Photo by Georg Bommeli on Unsplash
OAuth 2 Introduction
OAuth 2, an open standard protocol for Authorization
OAuth 2 is an open standard protocol that allows applications to securely access a user's data without requiring the user to share their login credentials. It enables users to grant third-party applications access to their resources such as personal information, documents, and images stored on another app, without giving the third-party app access to their passwords or other sensitive information.
The OAuth 2 protocol works by separating the authentication process from the authorization process. When a user wants to access a resource from a third-party application, the third-party application sends the user to the resource owner (e.g. a social media site) to authorize the request. The resource owner authenticates the user and then returns an access token to the third-party application, which can be used to access the requested resource.
This protocol has become a popular method for implementing authorization and authentication in modern web and mobile applications. It's used by many popular services, such as Google, Facebook, and Twitter, to provide access to their APIs for third-party developers and to implement authentication on several websites.
OAuth2 Principles
Long story short, here are some of the main principles of OAuth2:
Authorization, not authentication: OAuth2 is designed to allow a user to grant access to their resources to a third-party application without having to share their login credentials with the third party. In OAuth2, the user is authenticated by the resource owner (e.g. a social media site), and then the third-party application is authorized to access the user's resources.
Token-based authentication: OAuth2 uses access tokens to authenticate requests. The access token is issued to the third-party application by the resource owner and is used to access the user's resources.
Scope-based authorization: OAuth2 allows the resource owner to grant the third-party application access to only the specific resources that the user wants to share. This is done through the use of scopes, which define the level of access that the third-party application has to the user's resources.
Separation of concerns: OAuth2 separates the concerns of authentication and authorization. This allows different parties to focus on their areas of expertise and enables the creation of more secure and scalable systems.
Client Registration: OAuth2 requires third-party applications to register with the authorization server before they can be granted access to the user's resources. This provides a level of security by ensuring that only trusted applications are allowed access to the user's resources.
Overall, OAuth2 is designed to provide a secure and scalable way for third-party applications to access a user's resources without requiring the user to share their login credentials. By following these key principles, OAuth2 provides a powerful framework for building secure and scalable systems.
OAuth vs SAML
OAuth and SAML are two popular authentication and authorization protocols widely used in modern web applications. While both protocols serve a similar purpose of granting access to a user or an application, they differ in their design and approach.
SAML (Security Assertion Markup Language) is an XML-based protocol used for exchanging authentication and authorization data between parties, particularly between an identity provider (IdP) and a service provider (SP). SAML is primarily designed for single sign-on (SSO) and is commonly used in enterprise environments to enable employees to access various web applications with a single set of credentials. SAML is also used to provide federated authentication across multiple domains.
Although both OAuth and SAML provide similar functionality, OAuth is now more widely used today because of its simplicity, flexibility, and simpler support for new usages with web apps (SPA) and mobile apps. For several years, the ecosystem around OAuth and more globally around JWT tokens management gains with support from various components like proxy, gateway, ... etc making SAML sometimes more costly to integrate due to lack of ecosystem.