Skip to content

OAuth

OAuth 2.0

OAuth 2.0 is an authorization framework that allows users to grant limited access to their resources on one website to another website or application.

Roles

  • Resource Owner: The user who owns the protected resource (e.g., the user of an application).
  • Client: The application requesting access to the protected resources on behalf of the resource owner.
  • Authorization Server: The server that authenticates the resource owner and issues access tokens.
  • Resource Server: The server hosting the protected resources.
  • Redirect URI: The URI where the user is redirected after granting authorization.

OAuth Flows

  • Authorization Code Flow: Used by confidential clients, involves exchanging an authorization code for an access token.
  • Implicit Flow: Designed for public clients, issues access tokens directly without an intermediate authorization code.
  • Client Credentials Flow: Used for machine-to-machine communication, where the client can authenticate directly.
  • Resource Owner Password Credentials Flow: Involves the client obtaining the resource owner's username and password to authenticate directly.

Access Token

  • A token that represents the authorization granted by the resource owner to access protected resources.
  • Can be used in API requests to authenticate and authorize access.
  • Should be securely stored and transmitted using HTTPS.

OpenID Connect (OIDC)

OIDC is an identity layer built on top of OAuth 2.0. It provides authentication capabilities on top of authorization.

ID Token

  • A JSON Web Token (JWT) issued by the OpenID Provider (OP) during the authentication process.
  • Contains information about the authenticated user and additional claims.
  • Used to authenticate the user and obtain user information.

Claims

  • Pieces of information about the user or the context of the authentication.
  • Can be included in the ID Token or obtained through additional API calls using the access token.

Scopes

  • Define the level of access and permissions requested by the client during the authentication process.
  • Allow users to control the information they share with the client.
  • Common scopes include openid (required for OIDC), profile, email, offline_access, etc.

Discovery Endpoint

  • A well-known endpoint provided by the OpenID Provider that allows clients to retrieve configuration information.
  • Contains metadata such as endpoints, supported flows, and public keys.

UserInfo Endpoint

  • An endpoint provided by the OpenID Provider that returns user information based on the access token.
  • Can be used to fetch additional user details beyond what is available in the ID Token.