The Modern Guide to OAuth

Author : usitvhd
Publish Date : 2021-03-27

The Modern Guide to OAuth

I know what you are thinking, is this really another guide to OAuth 2.0?

Well, yes and no. This guide is different than most of the others out there because it covers all of the ways that we actually use OAuth. It also covers all of the details you need to be an OAuth expert without reading all the specifications or writing your own OAuth server. This document is based on hundreds of conversations and client implementations as well as our experience building FusionAuth, an OAuth server which has been downloaded over a million times.

If that sounds good to you, keep reading!

We do cover a lot, so here’s a handy table of contents to let you jump directly to a section if you’d like.

    OAuth overview
    OAuth modes
        Local login and registration
        Third-party login and registration
        First-party login and registration
        Enterprise login and registration
        Third-party service authorization
        First-party service authorization
        Machine-to-machine authorization
        Device login and registration
        Which OAuth mode is right for you?
    OAuth Grants
        Authorization Code grant
            Login/register buttons
            Authorize endpoint parameters
            Logging in
            Redirect and retrieve the tokens
            User and token information
            Local login and registration with the Authorization Code grant
            Third-party login and registration (also Enterprise login and registration) with the Authorization Code grant
            Third-party authorization with the Authorization Code grant
            First-party login and registration and first-party service authorization
        Implicit grant in OAuth 2.0
        Resource Owner’s Password Credentials grant
        Client Credentials grant
        Device grant

OAuth overview

OAuth 2.0 is a set of specifications that allow developers to easily delegate the authentication and authorization of their users to someone else. While the specifications don’t specifically cover authentication, in practice this is a core piece of OAuth, so we will cover it in depth (because that’s how we roll).

What does that mean, really? It means that your application sends the user over to an OAuth server, the user logs in, and then the user is sent back to your application. However, there are a couple of different twists and goals of this process. Let’s cover those next.
OAuth modes

None of the specifications cover how OAuth is actually integrated into applications. Whoops! But as a developer, that’s what you care about. They also don’t cover the different workflows or processes that leverage OAuth. They leave almost everything up to the implementer (the person who writes the OAuth Server) and integrator (the person who integrates their application with that OAuth server).

Rather than just reword the information in the specifications (yet again), let’s create a vocabulary for real-world integrations and implementations of OAuth. We’ll call them OAuth modes.

There are eight OAuth modes in common use today. These real world OAuth modes are:

    Local login and registration
    Third-party login and registration (federated identity)
    First-party login and registration (reverse federated identity)
    Enterprise login and registration (federated identity with a twist)
    Third-party service authorization
    First-party service authorization
    Machine-to-machine authentication and authorization
    Device login and registration

I’ve included notation on a few of the items above specifying which are federated identity workflows. The reason that I’ve changed the names here from just “federated identity” is that each case is slightly different. Plus, the term federated identity is often overloaded and misunderstood. To help clarify terms, I’m using “login” instead. However, this is generally the same as “federated identity” in that the user’s identity is stored in an OAuth server and the authentication/authorization is delegated to that server.

Let’s discuss each mode in a bit more detail, but first, a cheat sheet.
Which OAuth mode is right for you?

Wow, that’s a lot of different ways you can use OAuth. That’s the power and the danger of OAuth, to be honest with you. It is so flexible that people new to it can be overwhelmed. So, here’s a handy set of questions for you to ask yourself.

    Are you looking to outsource your authentication and authorization to a safe, secure and standards-friendly auth system? You’ll want Local login and registration in that case.
    Trying to avoid storing any credentials because you don’t want responsibility for passwords? Third-party login and registration is where it’s at.
    Are you selling to Enterprise customers? Folks who hear terms like SAML and SOC2 and are comforted, rather than disturbed? Scoot on over to Enterprise login and registration.
    Are you building service to service communication with no user involved? If so, you are looking for Machine-to-machine authorization.
    Are you trying to let a user log in from a separate device? That is, from a TV or similar device without a friendly typing interface? If this is so, check out Device login and registration.
    Are you building a platform and want to allow other developers to ask for permissions to make calls to APIs or services on your platform? Put on your hoodie and review First-party login and registration and First-party service authorization.
    Do you have a user store already integrated and only need to access a third party service on your users’ behalf? Read up on Third-party service authorization.

With that overview done, let’s examine each of these modes in more detail.
Local login and registration

The Local login and registration mode is when you are using an OAuth workflow to register or log users into your application. In this mode, you own both the OAuth server and the application. You might not have written the OAuth server (if you are using a product such as FusionAuth), but you control it. In fact, this mode usually feels like the user is signing up or logging directly into your application via native forms and there is no delegation at all.

What do we mean by native forms? Most developers have at one time written their own login and registration forms directly into an application. They create a table called users and it stores usernames and passwords. Then they write the registration and the login forms (HTML or some other UI). The registration form collects the username and password and checks if the user exists in the database. If they don’t, the application inserts the new user into the database. The login form collects the username and password and checks if the account exists in the database and logs the user in if it does. This type of implementation is what we call native forms.

The only difference between native forms and the Local login and registration OAuth mode is that with the latter you delegate the login and registration process to an OAuth server rather than writing everything by hand. Additionally, since you control the OAuth server and your application, it would be odd to ask the user to “authorize” your application. Therefore, this mode does not include the permission grant screens that often are mentioned in OAuth tutorials. Never fear; we’ll cover these in the next few sections.

So, how does this work in practice? Let’s take a look at the steps for a fictitious web application called “The World’s Greatest ToDo List” or “TWGTL” (pronounced Twig-Til):

    A user visits TWGTL and wants to sign up and manage their ToDos.
    They click the “Sign Up” button on the homepage.
    This button takes them over to the OAuth server. In fact, it takes them directly to the registration form that is included as part of the OAuth workflow (specifically the Authorization Code grant which is covered later in this guide).
    They fill out the registration form and click “Submit”.
    The OAuth server ensures this is a new user and creates their account.
    The OAuth server redirects the browser back to TWGTL, which logs the user in.
    The user uses TWGTL and adds their current ToDos. Yay!
    The user stops using TWGTL; they head off and do some ToDos.
    Later, the user comes back to TWGTL and needs to sign in to check off some ToDos. They click the My Account link at the top of the page.
    This takes the user to the OAuth server’s login page.
    The user types in their username and password.
    The OAuth server confirms their identity.
    The OAuth server redirects the browser back to TWGTL, which logs the user in.
    The user interacts with the TWGTL application, merrily checking off ToDos.

That’s it. The user feels like they are registering and logging into TWGTL directly, but in fact, TWGTL is delegating this functionality to the OAuth server. The user is none-the-wiser so this is why we call this mode Local login and registration.

I bet your login screen will be much prettier.
An aside about this mode and mobile applications

The details of this mode has implications for the security best practices recommended by some of the standards bodies. In particular, the OAuth 2.0 for Native Apps Best Current Practices (BCP) recommends against using a webview:

    This best current practice requires that native apps MUST NOT use embedded user-agents to perform authorization requests…

This is because the “embedded user-agents”, also known as webviews, are under control of the mobile application developer in a way that the system browser is not.

If you are operating in a mode where the OAuth server is under a different party’s control, such as the third-party login that we’ll cover next, this prohibition makes sense. But in this mode, you control everything. In that case, the chances of a malicious webview being able to do extra damage is minimal, and must be weighed against the user interface issues associated with

Category :others



- Teak comes form a hardwood tree called Tectona grandis. It grows in Indonesia and Southeast Asia and is dense-grained and

Ethiopian forces fire at UN team as aid groups seek Tigray access

Ethiopian forces fire at UN team as aid groups seek Tigray access

- Ethiopian forces fire at UN team as aid groups seek Tigray access

Get Actual Microsoft AI-100 dumps - Gates To Success 

Get Actual Microsoft AI-100 dumps - Gates To Success 

- I’m impressed with the work of experts at CertsSchool.A very concise and clear explanation of every topic has been given in this study material. It was amazing experience to learn under the guidance of qualified experts.