OAuth Crash Course
OAuth allows us to securely access and login into websites. But do you know how it actually works?
OAuth stands for Open Authorization. Before OAuth was introduced, if you wanted to log in to a third-party application (say App1) using your Gmail account, you had to send your Gmail’s username and password to App1 and the app would redirect to Facebook to log you in. This is not a good practice because you don’t go around giving your credentials (if you do, please STOP!) to third party applications.
The following image is a real screenshot of Facebook requesting Gmail’s credentials for login.
Why OAuth
OAuth is an authorization framework. It allows third-party applications to access user data from a trusted website (like Gmail) without giving user’s credentials to third party applications. Almost every website which has APIs use OAuth. All the authorization requests from third parties are handled by the OAuth server. Currently, OAuth 2.0 is being used.
For example, if you want to login to Nvidia’s website with your Gmail account as shown below, you don’t enter your credentials on the Nvidia website. You get redirected to Google’s OAuth server where you log in. The following image illustrates an example.
On selecting the option ‘Login with Google’, the page is redirected to Google’s OAuth server.
From the above image, we can see Nvidia requests name, email, and some relevant information from Gmail to authorize the user on its own website.
One thing to keep in mind is that OAuth is used for authorization and not authentication.
Authentication: To determine whether a user is actually who they claim to be.
Authorization: To determine what a user can or cannot access.
OAuth Workflow
1. User installs or access a third-party website.
For this example, we will use the Nvidia website as a third-party website.
2. Nvidia allows login using a Gmail account.
3. The user opts for the Gmail login option.
4. Nvidia asks Gmail to send a Request Token.
5. Gmail provides a temporary request token.
6. Nvidia sends the request token to the user.
7. This request token redirects the user to Gmail’s OAuth server where the user login into Gmail using credentials.
8. Gmail sends an authorized request token on a successful login to the user.
9. The user forwards this token back to Nvidia.
10. Nvidia sends this authorized request token to Gmail and requests an authorization token.
11. Gmail checks whether the token is valid and generated from Gmail itself. If everything is correct, Gmail sends an authorization token back to Nvidia.
12. This token is stored on Nvidia servers and used whenever the user accesses Nvidia forward.
Benefits of OAuth
- Keep user credentials safe.
- Easy authorization from one service with another.
- It allows security benefits to all the applications in an environment of the main OAuth server. For example, OAuth benefits Google will benefit all the websites under its environments like YouTube, Nvidia, and others who used Google to log in. If Google adds multi-factor authentication, it will be automatically used on all the other applications as well.
- The surface area for attackers is reduced. When multiple applications store user credentials, attackers can hack any one of those applications that have weak security in place and get your credentials. This is not possible with OAuth since all the authentication is done at a single highly trusted place, i.e. OAuth server of the main website and it can be prioritized for utmost security.
If you found this article helpful, make sure you like, subscribe, and share it with people who might be interested. If you think anything is confusing or incorrect please let me know by commenting down below and I will try my best to answer it.
Thank you for reading the article.
