Introduction to OAuth 2.0 with Rollup ID
OAuth 2.0, standing for "Open Authorization", is a standard protocol designed to allow an application to access resources hosted by other applications on behalf of a user. As a de facto industry standard for online authorization since 2012, OAuth 2.0 provides consented access and restricts actions of what the client application can perform on resources on behalf of the user, without ever sharing the user's credentials.
While the web is the primary platform for OAuth 2.0, the specification also caters to other client types such as browser-based applications, server-side web applications, native/mobile apps, connected devices, and more.
Understanding OAuth 2.0 with Rollup ID
OAuth 2.0 is an authorization protocol, not an authentication protocol. It is primarily designed as a means of granting access to a set of resources, such as remote APIs or user data.
OAuth 2.0 uses Access Tokens, which are pieces of data that represent the authorization to access resources on behalf of the end-user. OAuth 2.0 doesn’t define a specific format for Access Tokens, but in some contexts, the JSON Web Token (JWT) format is often used. This allows token issuers to include data in the token itself. For security reasons, Access Tokens may have an expiration date.
Roles in OAuth 2.0 with Rollup ID
The idea of roles is part of the core specification of the OAuth 2.0 authorization framework. These define the essential components of an OAuth 2.0 system:
- Resource Owner: The user or system that owns the protected resources and can grant access to them.
- Client: The client is the system that requires access to the protected resources. To access resources, the Client must hold the appropriate Access Token.
- Authorization Server: This server receives requests from the Client for Access Tokens and issues them upon successful authentication and consent by the Resource Owner. The authorization server exposes two endpoints: the Authorization endpoint, which handles the interactive authentication and consent of the user, and the Token endpoint, which is involved in a machine to machine interaction.
- Resource Server: A server that protects the user’s resources and receives access requests from the Client. It accepts and validates an Access Token from the Client and returns the appropriate resources to it.
Scopes in OAuth 2.0 with Rollup ID
Scopes are an important concept in OAuth 2.0. They are used to specify exactly the reason for which access to resources may be granted. Acceptable scope values, and which resources they relate to, are dependent on the Resource Server.
Access Tokens, Authorization Code, and OAuth 2.0 with Rollup ID
The OAuth 2 Authorization server may not directly return an Access Token after the Resource Owner has authorized access. Instead, and for better security, an Authorization Code may be returned, which is then exchanged for an Access Token. In addition, the Authorization server may also issue a Refresh Token with the Access Token. Unlike Access Tokens, Refresh Tokens normally have long expiry times and may be exchanged for new Access Tokens when the latter expires. Because Refresh Tokens have these properties, they have to be stored securely by clients.
How Does OAuth 2.0 Work with Rollup ID?
At the most basic level, before OAuth 2.0 can be used, the Client must acquire its own credentials, a client id and client secret, from the Authorization Server in order to identify and authenticate itself when requesting an Access Token.
Using OAuth 2.0, access requests are initiated by the Client, e.g., a mobile app, website, smart TV app, desktop application, etc. The token request, exchange, and response follow this general flow:
- The Client requests authorization (authorization request) from the Authorization server, supplying the client id and secret to as identification; it also provides the scopes and an endpoint URI (redirect URI) to send the Access Token or the Authorization Code to.
- The Authorization server authenticates the Client and verifies that the requested scopes are permitted.
- The Resource owner interacts with the Authorization server to grant access.
- The Authorization server redirects back to the Client with either an Authorization Code or Access Token, depending on the grant type. A Refresh Token may also be returned.
- With the Access Token, the Client requests access to the resource from the Resource server.
Grant Types in OAuth 2.0 with Rollup ID
In OAuth 2.0, grants are the set of steps a Client has to perform to get resource access authorization. The authorization framework provides several grant types to address different scenarios:
- Authorization Code grant: The Authorization server returns a single-use Authorization Code to the Client, which is then exchanged for an Access Token. This is the best option for traditional web apps where the exchange can securely happen on the server side.
- Authorization Code Grant with Proof Key for Code Exchange (PKCE): This authorization flow is similar to the Authorization Code grant, but with additional steps that make it more secure for mobile/native apps and SPAs.
- Resource Owner Credentials Grant Type: This grant requires the Client first to acquire the resource owner’s credentials, which are passed to the Authorization server.
- Client Credentials Grant Type: Used for non-interactive applications e.g., automated processes, microservices, etc.
- Refresh Token Grant: The flow that involves the exchange of a Refresh Token for a new Access Token.
To learn more about OAuth 2.0 and its application in Rollup ID, continue exploring our documentation and resources.