Open Authorization (OAuth) is an authorization framework that allows a client application to retrieve information from another system using a token that is valid for a limited time. The application users authorize the client application to retrieve information on their behalf.
The following are the main components of OAuth:
Resource owner: This is the owner of the resource that is accessed.
Client: This is the application that accesses the resource on behalf of the resource owner.
Access token: This is a string that represents an authorization issued to the client.
Resource server: This is the server that hosts the protected resources. It is capable of accepting and responding to requests by clients using access tokens.
Authorization server: This is the server that issues access tokens after it successfully authenticates a client and resource owner.
Authorization grant: This is a credential that represents the resource owner’s authorization (to access its protected resources) used by the client to obtain an access token.
Scope: This defines which resources can be accessed using a given access token.
OAuth works in the following manner:
The resource owner (user) asks for a service from a client.
The client requests the authorization server to give access to the resource.
The authorization server sends a prompt to the user, asking about giving access to the resource to the client.
The user confirms that the client has requested services, and grants authorization to the authorization server on behalf of the client.
The authorization server provides the client with the authorization code.
The client exchanges the authorization code for the access token.
The client provides the access token to the resource server.
On the validation of the access token, the resource is provided to the client.
Finally, the user is able to access the services of the client that can access the secured resources on behalf of the user.
The flow above is referred to as the authorization code flow. In the implicit flow, the user doesn't have to make a request to the authorization server for the access token exchange.
Note: Authorization code flow is more secure than implicit flow. This is because unauthorized parties may use the access token in the implicit flow. The implicit flow is better suited for short-lived access tokens.