OAuth 2.0: Compréhension de l'autorisation, de l'authentification, des jetons et plus encore

OAuth 2.0: Understanding Authorization, Authentication, Tokens, and More

Introduction

OAuth 2.0 is the open standard for allowing third-party applications to access resources on behalf of a user. Originally created in 2012 and now widely adopted, OAuth 2.0 replaces OAuth 1.0 and serves as the industry standard for online authorization. This article explores various aspects of OAuth 2.0, including authorization, authentication, tokens, and the functioning of the authorization code flow. Additionally, we will discuss the primary actors involved in OAuth 2.0 systems.

Principals in OAuth 2.0 Systems

Resource Owner

The resource owner represents the user or system that owns the protected resources and can grant access to them. This could be an individual user, an administrator, or another entity responsible for managing access to the corresponding resource.

Client

The client is the application that requires access to the protected resources. To gain access, the client needs to hold the appropriate Access Token. Clients can include web applications running on a server, browser-based applications, native mobile apps, connected devices, and other types of clients.

Authorization Server

The authorization server receives requests from the client for Access Tokens and issues them upon successful authentication and authorization. It maintains the list of registered clients and their respective credentials, such as client ID and client secret. Some common endpoints of an Authorization Server are the Authorization endpoint, which handles the interactive authentication and consent of the user, and the Token endpoint, where clients request tokens by providing a valid code or client credential.

OAuth 2.0 Functions

Authentication vs. Authorization

Although often confused with authentication, OAuth 2.0 is primarily designed for authorization, not authentication. While it may be used within authentication protocols, OAuth does not provide any information about who authorized the application or even if there was a user present during the interaction between the client and the accessed resource.

Access Tokens

An Access Token is a piece of data issued by the authorization server representing the authorization to access specific resources on behalf of the resource owner. An Access Token contains relevant permissions granted based on the user's consents and has an expiration time to ensure secure access.

Functions of OAuth 2.0 Actors

Resource Owner

The resource owner initiates the OAuth 2.0 process by granting permission to the client to access specific resources. This allows individuals to control their own settings and personal information across multiple services without having to share passwords.

Client

Clients use OAuth 2.0 to authenticate themselves with the authorization server and obtain access tokens. These tokens allow the client to access protected resources owned by the resource owner.

Authorization Server

Authority servers handle three main functions: authentication, token issuance, and token revocation. They verify the identity of the users and clients and issue access tokens upon successful authentication and authorization. Additionally, they manage token expiration and revoke them when necessary.

OAuth 2.0 Grant Types

OAuth 2.0 provides several grant types, each suitable for different scenarios, such as Authorization Code, Implicit, Resource Owner Password Credentials, and Client Credentials. The choice of grant type depends on factors like the security requirements, user experience, and the trust relationship between the involved parties.

Conclusion

Understanding the principles, roles, and functioning of OAuth 2.0 is crucial for developers building secure web applications. With its focus on delegation and controlled access, OAuth offers a robust framework for handling cross-service operations while maintaining the privacy and security of both resource owners and client applications.