OAuth (Open Authorization) 2.0 is a standard that defines how a third application can access user information and resources related to this user in another application. It makes it possible for users to use any application with information registered in another application. If you have used via Facebook At Work or 3rd applications with a Google account, you will partly imagine how this OAuth 2.0 works.
In this tutorial, I will introduce to you an overview of OAuth 2.0!
The first thing you need to know is about OAuth 2.0 Role.
Roles in OAuth 2.0 are components that will participate in the authentication process of the user information and the resources that the third application needs to use. These Roles include:
- The third application, or we often call the Client Application, the application we are using, will access our information and the resources we own in other applications.
- The Resouce Server is the server that contains our resources that the application we are using will access.
- The Resource owner is us, the user owns these resources.
- The Authorization Server is the server that authorizes whether the application we are using, have access to our resource or not? In order to do this, we need to provide information for the application we are using!
You can see the following figure to understand more.
Normally, you will see the Resource Server and Authorization Server will be one, for example, we only need to use Google for Resource Server and Authorization Server. But of course, we can separate them, too.
To imagine the process of validating user information in OAuth 2.0, please see the following figure:
We will access the application we are trying to use and choose to log in to this application using a Google account. Of course, this application must support the login using your Google account,
Then the Client Application will redirect to the Google login page for us to log in.
After successful login to Google, Google will ask you to allow this application to access our resources. If you agree, Google will redirect to the Client Application with the URL that this application has registered with Google before, along with the authentication code,
Then the Client Application will use the provided information including authentication code, client id, a client secret to confirm with Google to access our information at Google,
Google will then return the access token to allow Client Application to access our information.
Client Application successfully used Google account.
Above is the basic information, overview of OAuth 2.0, I will guide you on how to implement OAuth 2.0 for your application in the incoming tutorials.