OAuth: The Authorization Framework

Introduction

In this lesson, we'll explore a popular framework that builds on top of the security protocols we mentioned previously and extends them to implement authorization. Such an extension is necessary because the protocols we studied earlier (HTTP authentication, API keys, JWTs) by themselves are not sufficient and have limitations, such as:

• Using API keys as a standalone authentication mechanism isn't sufficient because they require a solution for their secure transmission.

• Repeated transmission of tokens for authentication increases the probability of interception by an attacker.

These and other issues require that frameworks embed individual protocols to formulate a complete solution that is able to achieve security goals effectively. One benefit of having a standard authorization mechanism is that security experts can vet out complex security issues instead of everyone inventing their own solutions that might have security bugs. One of these frameworks is OAuth 2.0. OAuth 2.0, a shortened name for Open Authorization 2.0, is the preferred way of authorizing access to an API. It's a technological standard that allows applications to access resources hosted by other web apps through an API on behalf of a user.

Let's begin by expanding on OAuth 2.0.

What is OAuth 2.0?

OAuth 2.0 is an industry-standard implementation of token-based authorization that was developed through a collaboration between Google and Twitter in 2010. It’s built on top of OAuth 1.0, which was developed in 2007. Using OAuth, we can allow access to specific information to API clients without exposing the user's credentials. This information can be used to create accounts on third-party applications without the need for sharing sensitive user credentials (like passwords).