Hello Cyber geeks, this is my first ever article in medium, I will be publishing more articles after this. Hope you will enjoy it. Happy Hunting !!
OPen Authorization (OAuth)
OAuth means authorization between the services. OAuth is process of providing access between services without user credentials. It comes under the RFC 6749.
Terminology Associated with OAuth:
Resource: ( Protected resources) It is the service where only user will have the authorization access, in simple words we can say it is a protected resource, which client or third party application wants to access.
Resource owner: User who has access to the service. It is an entity capable of granting access to a protected resource.
Resource server: (Server)Who is hosting that particular resource in other words we can say the one who holds the the protected resource.
Client : Client is the application which needs to access the protected resource. It makes a request on the behalf of a user from the resource server.
Authorization server: Authorization server maintains the security for the entire flow. Authorization server can be a single server or can be coupled with resource server. Authorization server is responsible for authorization.
OAuth Flow1: (Communication between client, resource owner and authorization server)
Prerequisite:(Both services should use OAuth)
Authorization code flow:
Let’s try to understand this with a simple example. Consider this an service which wants to access your photos which is stored in google drive.
- User is logged to the photo printing service (client).
- Client will go to authorization server(in this case it will be google drive)and request the Authorization server that user want to access photos, but the authorization server will not trust client and go to user ( resource owner) and ask for confirmation from the resource owner.
- Now the resource owner will list out restricted access & permission to the authorization server, that needs to be used by client . The Authorization server will now have confirmation. Authorization server will issue Authorization token to the client .
- The client will again go to authorization server and ask for the access control token from the authorization server by giving the authorization token issued in step 3. This is called exchanging of Authorization token with the access token
- Access token is given to the client now they can access the protected resources.
- Client will go to resource owner and will tell this is my access token you can give access now but resource owner will go to the authorization server and check token is valid ,if token is valid Resource owner will provide the access to protected resource.
Advantage: Best and safe method
Authorization token: It is key issued by authorization server to client for the identification purpose. It tells about the limited permission that is given to client by the resource owner.
OAuth Flow2 (Implicit flow)
This flow is similar to the one above the only difference is instead of issuing authorization token authorization server will issue Access token. So there will be no exchange of Authorization token only access token will come into play.
Drawback: If attacker get access token , it is easily to impersonate.
To be continued….