TLDR Key Takeaways
"Or Login with Your Google or Facebook Account."
The fact that you can use a single login to access most of your favorite go-to sites is a luxury that, while simple, has dramatically changed the way we interact with businesses online.
Ditching hundreds of usernames and passwords is just one example of the incredible impact OAuth - specifically OAuth 2.0 - has had on the digital landscape.
Think about it: at their core, online banking, social media, online shopping, email, video conferencing, and GPS navigation are all different forms of data and information exchange.
Much of the data you trust to the internet is personal and highly sensitive. The success of the entire system depends on having a reliable way to control access to private data and ensure it is protected from unauthorized entities.
OAuth 2.0 is a critical facilitator of internet activity, but it's not well understood outside a small subset of specialized developers.
OAuth 2.0 is an open-standard authorization framework that allows unrelated services to safely permit authenticated access to their assets without sharing some critical central credentials — i.e., the owner's password.
OAuth works on the principle of granting permission to access data rather than providing proof of identity, meaning it is an authorization protocol rather than an authentication protocol.
Users delegate exactly what personal information will be revealed. OAuth works over HTTPS, authorizing servers, devices, APIs, and applications. Instead of passwords, it uses short-term access tokens.
To better understand the purpose of OAuth, you might consider this often repeated analogy of a valet key. Many of today's luxury cars come equipped with a special key to be used only by a parking attendant.
Unlike your standard key, the "valet version" will start the car but denies access to certain areas of the vehicle like the trunk or glove box. Nor will this key allow the vehicle to be driven more than a short distance - with speed maximums also regulated.
Working on the valet key principle, OAuth allows you (the user) to grant limited access to your private resources to a third-party website without sharing your identity or password.
Read More: What is API Security and Why It's Important
Until late 2007, there was no open standard for API access designation. To connect with a website, you'd need to provide your user name and password. So far, so good. But if another site were involved in the mix, which often happens, the second site would need them, too.
Giving up your password to a separate set of hands is not only tedious but risky. Now the odds your secret could fall to the wrong person have exactly doubled.
Fortunately, OAuth 1.0 and now 2.0 can eliminate the need for a do-all password and restrict these sites to necessary functions.
In more practical terms, beyond the single sign-on example above, OAuth is what makes it possible to easily complete actions like posting pictures and videos from your phone to social media and paying for online purchases using your Amazon account instead of entering your credit card information.
You see OAuth in action every time you grant permission for an app to access the camera on your phone or allow a browser plug-in to access your Google account. Basically, the list of OAuth-related functions that make our lives easier is exhaustive.
Read More: API Terminology: A Complete List of Terms for Beginners
These days, when developers speak of OAuth, they mean OAuth 2.0. In fact, the iterations differ so widely that they're incompatible. The programs can be operated separately, though that's become increasingly rare.
To understand the distinctions, some clarification and history may be helpful.
In late 2007, OAuth 1.0 arrived on the scene with a framework based on digital signatures. It was reliable, secure, and quickly accepted by players such as Google and Twitter. The drawback: OAuth 1.0 meant crypto-implementation and crypto-interoperability, a challenge for many developers.
OAuth 2.0, released in Oct. 2012, was a totally different animal. This newer version wasn't backward-compatible with OAuth 1.0 or 1.1, and crypto was no longer part of the system.
OAuth version 2.0 relies on access tokens to circumvent the need for passwords, making authorization much easier and more flexible - and also more interoperable between sites and devices.
Superseding its predecessor, OAuth 2.0 has become the go-to solution for many companies, including Facebook, Microsoft, Twitter, Google, and Mozilla.
To summarize the differences:
Read More: What Is OWASP API Security Top 10 & Why It's Important
Before addressing the individual components, let's look at the sequence of events when a user initiates a website action that involves another unrelated site or service. It's assumed that the user has signed in to the first site using HTTPS.
The discussion of how OAuth 2.0 works can easily become highly technical. At a high level, the basic building blocks and their functions fall into five central components.
Now, let's break down each of the components in greater detail.
Scopes are mechanisms that define permissions and set boundaries for what an application or service does or does not have access to.
When an app sends an authorization request, the user is presented with the specific scope of the request and must authorize consent.
This consent serves as proof of authorization and allows an access token to be granted.
There are four actors appearing in an OAuth flow:
Clients can be either confidential or public. Confidential clients are what the name implies — they keep secrets. They run in safe areas and can't be accessed by end-users.
Public clients are less secure entities such as browsers, mobile apps, and IoT devices, while confidential clients are more secure and can be granted more access to secure resources.
There are two types of token actors in OAuth flows — access tokens and refresh tokens.
When you kill a refresh token, you get a new, cryptographically signed access token.
Typically, these are formatted in JavaScript Object Notation (JSON) and are known as JSON Web Tokens, or JWTs (pronounced "jots"). JWTs allow digital signatures (also known as claims), which can be later verified with a secret signing key.
Tokens are retrieved from two primary endpoints on the authorization server. First is the "authorize endpoint" that grants user consent and authorization. The authorization then passes to the "token endpoint," where the grant is processed and both the refresh token and access tokens are awarded.
The access token is the key to accessing the APIs. But once expired, it takes another trip to the token endpoint, with the refresh token, to do it all again.
Flows are the series of steps and authorization grant types required for clients to access the requested resources.
OAuth 2.0 includes six flows intended for different types of interactions.
As welcomed as OAuth 2.0 has been by developers and end-users for protecting private data, there have also been detractors.
Some have slammed the severe changes between versions 1.0 and 2.0, not without reason. OAuth 2.0 is significantly less secure than its predecessor and more complex.
The greatest criticism of OAuth2.0 may be that it doesn't directly support client verification, signature, or channel binding.
Detractors charge that OAuth 2.0 creators chose to concentrate on increased interoperability between sites and devices rather than provide additional range and security.
OAuth has suggested using a third-party protection protocol such as Transport Layer Security (TLS) to provide the additional features.
While OAuth 2.0 is a step forward in the safe use of private data, it's nowhere near enough to protect your API from broken object-level authorization (BOLA) vulnerabilities that rank #1 in the OWASP API Security Top 10 list.
Companies rely on automated API security testing platforms to comprehensively test their APIs to keep up with ever-evolving security standards.
APIsec provides just that by leveraging the power of AI to test your APIs across a wide range of vulnerabilities automatically.
The setup process takes minutes (not days or weeks), allowing you to save countless hours of your highly-paid developers while completely eliminating human error from the equation.
Are you looking to see APIsec in action? Reach out to our team today for a free security assessment.