OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006.
The new version focus on client develop simplicity, and provides specific flows for Web, Desktop and Mobile developments.
Is the application that is attempting to get access to the user’s account. It needs to get permission from the user before it can do so.
This is the server or service used to access user’s information through an API.
This server presents the interface where the user approves or denies the request. In smaller implementations, this may be the same server as the API server, but larger scale deployments will often build this as a separate component.
The resource owner is the person who is giving access to some portion of their account.
You can implement this abstract flow in different ways based on the target architecture: Web Application and Client Application. Where the first one could be any of common web sites that allow us to login using our Facebook or Twitter user, and the last one could be a mobile or desktop app.
In both cases, before start using oAuth, you need to register the application in the Service Provide system, that way you will obtain a client_id and client_secret. The client_secret should be kept confidential and only used between application and Service Provider.
Once you have registered your app, the first step is to get authorization from the user.
This is usually accomplished by displaying an interface provided by the service to the user.
The version 2 provides several “grant types” for different use cases. The grant types defined are:
The first step is create a login link to redirect a user to Auth Server where will be authenticated. This link might include the callback URL (this could vary depends on server implementations, some systems require the callback URL in the app registration form). This is the URL user will be redirected to after login.
In case of success this redirect will include a Grant Code, that will be needed in the Token Exchange step.
After a succeed login, with Grant Code and Access Token the client app, will request the access token, that will be used as credential on future request.
Hope this roughly overview brought up some light into the oAuth Protocol concepts. In the next episode, I will bring you a practical example of how to implement a client module with erdiko/authenticate package.