OAuth 2.0 (Open ID Connect)

The problem scenario?

When did you start using internet? Can you remember the good old times you maintained different accounts for different  web sites or applications. I remember myself using yahoo mail account and google account in my school times. I used both accounts to register in web applications and web sites like eBay, online game applications and other stuff. All of them were rarely used, so that I always forgot which account I used to register and had to try with both in most of the times. That was not that much of headache since I used only these two for applications. 

At the start I made my life so easy by using same password for all accounts. At that time little me only considered about the easy life, not knowing what happens after the computer monitor. But now it is clear how dangerous is that for the security. Once a hacker hacks my password, (which was not so hard to attack in my case, because that was a time where I used to click on every popup, attractive links and give my credentials to any crap) he is pretty much welcome to access all of my accounts. Now that is a little headache.

Then I started to change the passwords for each accounts. That was a pretty hard work like doing an examination. (Even more!) I even didn't know which applications I have registered for. The hardest part was to remember the passwords for them. I had to write them in a book and keep it. Nightmare!!!
Still it is the most unsecured way to have all the passwords written in a book, unless I locked it in a safe. It really is a nightmare in the point of security view.

Soon came the age of collaboration. Since then nor web application neither mobile applications work alone. Now every one share information between everyone. But at the start, can you remember sharing your email password for other web applications or one application's password to other so that they (the other application) can get access to your information in first application. Isn't it a real nightmare. There the fox in the hen house. !!!!

Last but not least, how about the number of keystrokes, when logging in to different applications with those accounts. Even though you used one email and one password, (which is highly insecure), you will have to stroke at least 30-50 keys to login. That's another good headache, if you are a person who will have to switch between applications for your own work.

Solution from OAuth 2.0

Well, that good old times are no more as it was. The world is not so scary in the context we discussed above. (Moral : The world will never change, only the way it looks, the way we realize the lie and illusions will. So it is scary forever in other contexts.)

If you are some one who started use or interact with web applications after 2008 (when oauth was introduced), you may not know anything mentioned above. If so, you may have felt, what the heck was that at that time. It is because now every one use OAuth2.0.

In the current scenario,

  • It is just one click to join or login any application you want. 
  • You don't have to reveal your password to applications. [Authentication]
  • You can decide what level of access the application have to your information. [Authorization]
    • Ex : Whether the application can access your Facebook 'About' information, photos, friends etc.
    • Whether the application can post on your wall etc.
  • You can revoke the access to your data at anytime.
Because of this setup in the internet community, you are discouraged positively for not to reuse same password. Because now you will have to remember only few passwords. (Actually less than 5).  You can use other web applications and web sites you can use sharing the information (technically "claims") of those few accounts like google, Facebook, Microsoft etc. accounts, which are trusted by all around the world. 

Example of the solution.

See the example from here.

What is OAuth 2.0?

Simply OAuth is the solution for above mentioned problems. But OAuth 1.0 (First version of OAuth)had its own flaws as well. OAuth 2.0 is the current giant, used all over the world for Authentication and Authorization. 

In the scenario there will be an agent that you trust in all cases. You trust this agent, for that it is a good trusted fellow through out the world. Think about Facebook, Google, Microsoft (Outlook). Will you send private and confidential mails unless you trust them. Or would you share your information with Facebook if it was untrusted. By all means you trust them. You have an account there. You have a user name and password for that. Since it is only two words, you can easily remember them. No other know them unless you deliberately let some one. That is the trust you should have with some one you do business. 

Service providers (web applications like kaggle) are untrusted. There are millions of applications in the internet. A quiet a lot is developed by hackers to hack information of users. That is why a user should use a trusted party like Google for identity management. 

What is not OAuth 2.0?

Why you should use OAuth 2.0?

If you are just an user you should use OAuth for the security of your identity information. Don't forget at every seconds, there are millions of attempts from hackers at all levels to steal your identity. Hand the security over to professionals and trusted services. 

If you are a developer, mobile apps, webapps or any other keep in mind, that mindful users will have the same suspicious towards you when they got to know your app for the first time. The best way of convincing than that you are not evil  is to provide the security they need for their identity information. There is no other best option than OAuth.

NOTE : If you are a user of web applications who just wants to know what the heck is OAuth 2.0 and is not curious about its implementation, I hope that you have gain the full knowledge you need by now. You can stick to read if you are a developer or buddy engineer of applications. Hop that you will able to handle whole OAuth flow throughout your application successfully. At the same time you will be able to understand how it works. I will consider you as a developer here onward.

How does it work?

How to include OAuth 2.0 in your application? I will cover two ways of doing this. 
  1. Use OAuth 2.0 it self in the code.
  2. Use WSO2 Identity-server.
Use OAuth 2.0 it self in your application

We will use Google API for OAuth in this example. Following is the pure JavaScript flaw.
  1. Register you application at Google Developers console as described from here. 

Key Words in the context

  • Roles
  • Authorization Grant
    • Authorization Code
    • Implicit
    • Resource Owner Password Credentials
    • Client Credentials
  • Access Token
  • Refresh Token

1 comment: