OAUTH2

Problems Without OAUTH2

• Witth HTTP Basic authentication, the client need to send the user credentials every time and authentication logic has to be execute every time with all the requests. With this approach we ended up sharing the credentials often over the network.

• In environment with multiple applications inside an organization, the users has to register and maintain different credentials/same credentials but they will be stored in different DBs. Then in the Authentication and Authorization logic, security standards will be duplicated in all multiple applications.

• In interaction with third party applications, the users have to use the credentials of main applications for login on third party applications so they can interact and work with main applications. This is a serious security breach here if the third party misuse the user credentials.

OAUTH2 Introduction

• OAuth stands for Open Authorization. It's a free and open protocol, built on IETF standards and licenses from the Open Web Foundation.

• OAUTH 2.0 is a delegation protocol, which means letting someone who controls a resource allow a software application to access that resource on their behalf without impersonating them.

  • For example: In our spring security application instead of maintain both Authentication and Business logic inside the same application/server, it will allow other application to handle authorization before allowing the client to access protected resources. This will happen mostly with the help of tokens.
  • For other example is. We have an application like SonarCloud where we can analyze the our source codes on Github. But in order to work we should allow this application to pull the source codes from GitHub. So the Github will exposes an Authentication server to the SonarCloud. So this application now will have a login page where it will redirect the user to the Github login and the user credentials will be validated by Github. After that Github provides a token to the SonarCloud which will be used to pull the source code of the users.

• According to the OAuth 2.0 specification it enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service. or by allowing the third-party application to obtain access on its own behalf.

• In the OAuth world, a client application wants to gain access to a protected resource on behalf of a resource owner (usually an end user). For this client application will interact with the Authorization server to obtain the token.
• In many way, you can think of the OAuth token as a "access card" at any office/hotel. These tokens provides limited access to someone, without handing over full control in the form of the master key.

OAUTH2 Details

• OAUTH2 Components
• OAUTH2 Flow
• OAUTH2 Resource Server Token Validation
• Code Grant Type With Github

References

• Spring Security Zero To Master