Understanding OAuth 2.0 with the help of AI
HidetoshiYanagisawa
Posted on August 4, 2023
Recently, I started using OAuth 2.0 in my work. I found that I didn't fully understand the specifics, so I asked AI (ChatGPT) to explain it to me. I would like to share what I learned.
Table of Contents
- What is OAuth 2.0?
- The OAuth 2.0 Flow
- Explaining OAuth 2.0 in a way even a child could understand
- Famous services using OAuth 2.0
- An example of OAuth 2.0
- Summary
What is OAuth 2.0?
OAuth 2.0 (Open Authorization version 2.0) is an open authentication protocol that allows third-party applications to access services on behalf of the user, without the user having to provide their account information directly. It's a common method for integrating with other applications by sharing some information.
The OAuth 2.0 Flow
The OAuth 2.0 flow is as follows:
- Authorization Request: The user is redirected from the application to the authorization server.
- Authorization: The user logs in to the authorization server and grants access to the resources requested by the client.
- Authorization Response: The authorization server redirects the user back to the client's redirect URI, which includes an authorization code.
- Access Token Request: The client uses the authorization code to request an access token from the authorization server.
- Access Token Response: The authorization server provides the client with an access token. The client uses this token to access the user's data from the resource server.
- Resource Request and Response: The client uses the access token to request resources from the resource server. The resource server verifies the access token and provides the requested resources.
Explaining OAuth 2.0 in a way even a child could understand
- Ordering Ice Cream: You (the user) ask your friend (the application) to get ice cream (the data) through your mom (Google or Facebook).
- Asking Mom: Your friend (the application) asks your mom (Google or Facebook) for permission to get ice cream (the data).
- Getting an Ice Cream Coupon: Mom gives your friend (the application) an ice cream coupon (the authorization code).
- Exchanging the Coupon for Ice Cream: Your friend (the application) uses the ice cream coupon (the authorization code) to get the ice cream (user data) from the ice cream shop (the resource server).
- Getting the Ice Cream: The ice cream shop (the resource server) verifies the ice cream coupon (the access token) and gives the ice cream (the data) to your friend (the application).
Famous services using OAuth 2.0
OAuth 2.0 is widely used in many famous websites and applications, including Google, Facebook, Twitter, and GitHub.
An example of OAuth 2.0
Here's a simple example of OAuth 2.0 using Node.js and Express:
const express = require('express');
const request = require('request');
const querystring = require('querystring');
const app = express();
app.get('/login', function(req, res) {
res.redirect('https://authorize.url?' +
querystring.stringify({
response_type: 'code',
client_id: 'client_id',
redirect_uri: 'http://localhost:8888/callback',
scope: 'user-read-private user-read-email'
}));
});
app.get('/callback', function(req, res) {
const code = req.query.code || null;
const authOptions = {
url: 'https://api.token.url',
form: {
code: code,
redirect_uri: 'http://localhost:8888/callback',
grant_type: 'authorization_code',
client_id: 'client_id',
client_secret: 'client_secret'
},
json: true
};
request.post(authOptions, function(error, response, body) {
if (!error && response.statusCode === 200) {
const access_token = body.access_token;
res.redirect('/#' +
querystring.stringify({
access_token: access_token
}));
} else {
res.redirect('/#' +
querystring.stringify({
error: 'invalid_token'
}));
}
});
});
console.log('Listening on 8888');
app.listen(8888);
In this code, the user is first redirected to the authorization server by accessing the /login
endpoint. The redirect response from the authorization server is sent to the /callback
endpoint, where the access token is requested.
Summary
OAuth 2.0 is a common method for third-party applications to access services on behalf of a user without the user having to provide their account information directly. In this article, we've gone through the basic flow and provided a sample code. Now you should have a better understanding of how OAuth 2.0 works.
Posted on August 4, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.