M. Ahmed

OAuth 2.0 Notes

Notes on OAuth 2.0 Framework for better understanding.

Definition: A way for an application to access user data from a service using a set of standard protocols.

Roles

  1. Resource Owner (User whose data is required)
  2. Resource Server (Contains the user data)
  3. Authorization Server (Provides an Access Token to get user data from Resource Server)
  4. Client (The Web Application Trying to get access to the user’s data)

Flow Diagram

Note: Resource and Authorization Server can be jointly referred to as the Service.

Application Registration With the Service

Fields required for registration on the service’s website:

  • Application Name
  • Application Website
  • Redirect URI or Callback URL

The redirect URI is where the service will redirect the user after they authorize (or deny) your application and, therefore, the part of your application that will handle authorization codes or access tokens.

Client ID: Publicly identifies an application. Client Secret: Authenticate the application with the Service (Must not be exposed publicly).

Grant Types:

  • Authorization Code: used with server-side Applications
  • Client Credentials: used with Applications that have API access
  • Device Code: used for devices that lack browsers or have input limitations

1. Authorization Code Flow

Step 1: The Client calls the endpoint

https://SERVICE.com/v1/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_URL&scope=read

Step 2: User grants access on the service URL.

Step 3: After this, the application calls the authorization callback/redirect URI with:

https://CLIENT.com/callback?code=AUTHORIZATION_CODE

Step 4: The Client used the AUTHORIZATION_CODE and calls the token endpoint:

https://cloud.digitalocean.com/v1/oauth/token?client_id=CLIENT_ID&client_secret=CLIENT_SECRET&grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=CALLBACK_URL

Step 4: Application receives an Access Token of form:

{"access_token":"ACCESS_TOKEN",
"token_type":"bearer",
"expires_in":2592000,
"refresh_token":"REFRESH_TOKEN",
"scope":"read",
"uid":100101,
"info": 
        {
          "name":"Mark E. Mark","email":"mark@thefunkybunch.com"
        }
}

2. Client Credentials Flow

In this case client call the token endpoint directly using the grant_type client credentials and receives the access token for the service account associated with the Client.

https://oauth.example.com/token?grant_type=client_credentials&client_id=CLIENT_ID&client_secret=CLIENT_SECRET

3. Device Code

Used for devices with limited browser capabilities.

Step 1: device sends an authorization code to the device endpoint:

POST https://oauth.example.com/device

client_id=CLIENT_id

Step 2: The endpoint return device_code and user_code:

{
  "device_code": "IO2RUI3SAH0IQuESHAEBAeYOO8UPAI",
  "user_code": "RSIK-KRAM",
  "verification_uri": "https://example.okta.com/device",
  "interval": 10,
  "expires_in": 1600
}

Note: The devices keep polling the device endpoint until they get an error or the access token.

Access Token Usage:

The client calls an endpoint with the access token and gets the user data depending on the scope.

curl -X POST -H "Authorization: Bearer ACCESS_TOKEN""https://api.digitalocean.com/v2/$OBJECT"