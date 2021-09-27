With modern life increasingly depending on accounts in different digital services, the possibility of accessing services from a single credential is something that attracts many users. What a lot of people don’t know is that this process is done using a specific protocol, called OAuth 2 — which, of course, is the evolution of OAuth.

You’ve probably already clicked on a button that says “Log in with your Google account” or “Log in with your Facebook account” when you are on a website, to avoid having to re-register with a password and the like in a service. In this case, you are authorizing a third-party application to use the resources of your Google or Facebook accounts as credentials. This constitutes the OAuth 2 protocol.

The Auth 2 is an authorization protocol that allows one application to authenticate itself to another, as seen in the example above. It is important to note that the protocol gives limited access to these applications, just to allow users to authenticate. This protocol is used in the most diverse types of authentication, such as login screens and Application Programming Interface (APIs) authentication.

One of the differentials of this method, in addition to allowing users to access accounts without needing a specific credential for that service, is that once a permission is granted, even if the user changes the application's password, they can continue using that service without needing to re-authenticate. Likewise, permissions can be revoked at any time. Differences between OAuth 1 and OAuth 2

However, how the number after the protocol name indicates, OAuth 2 is not the first version of this system. OAuth 1.0 was created in November 2006, and is not compatible with the second version of the protocol, available at 2012.

Although their functions are similar, there are a number of fundamental differences between the two versions. We list them below:

Less need to use third-party applications for authentication : In OAuth 1.0, desktop or mobile apps needed to direct the user to open the browser to the desired service, authenticate with the service, and copy the service token back to the app. With OAuth 2.0, there are now new ways for an app to get authorization for a user, without having to open external apps;

: In OAuth 1.0, desktop or mobile apps needed to direct the user to open the browser to the desired service, authenticate with the service, and copy the service token back to the app. With OAuth 2.0, there are now new ways for an app to get authorization for a user, without having to open external apps; Availability in non-encrypted applications : OAuth 2.0 no longer requires client applications to be encrypted, allowing requests to be made only with the token issued over HTTPS, unlike the first version, which required token encryption processes before its use;

: OAuth 2.0 no longer requires client applications to be encrypted, allowing requests to be made only with the token issued over HTTPS, unlike the first version, which required token encryption processes before its use; Less complex signatures: OAuth 2.0 signatures are much less complicated, requiring no parsing, sorting, or special coding. The first version had all these complications, causing many services not to adopt it due to insecurity regarding the protocol implementation process;

Better separation of roles: Finally, OAuth 2.0 has a clear separation of roles between the server responsible for handling OAuth requests and the server responsible for user authorization, making the data flow more organized. In the first version, everything was done together, complicating several processes.

How it works?

The OAuth 2 protocol acts on 4 roles, where each of them has its own mission in the protocol authentication. The 4 roles are:

Owner of the Resource: person or entity that grants access to your data. Also called resource owner.

Customer : is the application that interacts with the Resource Owner, such as the browser, speaking in the case of a web application. It is classified in two ways: Confidential Client, which is able to maintain the confidentiality of credentials; and Public Client, who cannot maintain their confidentiality;

Resource Server: the API that is exposed on the internet and needs data protection. To gain access to its content, a token that is issued by the authorization server is needed.

Authentication Server: responsible for authenticating the user and issuing access tokens. It is he who has the information of the resource owner (the user), authenticates and interacts with the user after identifying the client.

Illustration demonstrating the flow of the authorization process. (Image: Reproduction/TreinaWeb)

These four roles play important roles in the entire protocol authentication flow, which we list below:

The Client requests authorization from the Resource Owner to access its resources;

If the Resource Owner has authorized access, the Client receives a guarantee of authorization. This credential represents the authorization granted by the Resource Owner;

The Client requests an access token to the Authentication Server, sending the authorization guarantee;

Assuming that the Client was successfully authorized and that the authorization guarantee is valid, the Authentication Server generates an access token and sends it to the Client;

The Client requests access to a resource protected by the Resource Server, and authenticates with the access token;

Assuming that the token is valid, the Resource Server responds to the Client’s request by serving the requested resource, now allowing the user to access the service. The authorization guarantee, mentioned in the second step of the flow , also has some variations, which define how the authentication process will be done. They are as follows:

Implicit : used for web clients, that is, which are accessed by browsers. This authorization guarantee is only valid for the user, not for the customer as a whole;

Code de Authentication: obtained using an authentication server as an intermediary between the client and the user, in situations where applications asking for permission are not trusted;