Understanding OAuth 2.0
OAuth 2.0 is a standard authorization protocol that allows applications to access resources managed by other applications on a user's behalf without requiring users to share credentials. It’s widely used for secure, delegated access to a wide range of things, such as web apps, desktop clients, and mobile apps.
Background
The OAuth protocol began as a community effort in 2007 and was later developed by the Internet Engineering Task Force (IETF) as an open standard for authorization. IETF is an organization that develops, maintains, and publishes standards for various internet protocols, including OAuth. The current version of OAuth is 2.0. The RFC specifications for OAuth 2.0 are published as RFC 6749 and RFC 6750. RFC 6749 defines the core framework for OAuth 2.0 and RFC 6750 defines how this framework uses access tokens for implementing the protocol.
Glossary of Key Terms
To gain a fuller understanding of OAuth 2.0, it’s probably best at the outset to define the following key terms involved in the process:
· User - A resource owner, such as a web page, photos, documents, etc.
· Access token - A digital key containing information like resources to access, scope, time duration, etc.
· Authorization code - An intermediate token used by client to get access token from identity provider.
· Identity provider (IDP) - An entity that manages user identities and authenticates them by verifying their credentials and issuing tokens to allow access to protected resources.
· Resource server - The server that hosts protected resources and is responsible for validating access tokens to determine if a client application is authorized to access those resources.
Principles of OAuth 2.0
Now that you know and understand the key terms, it’s time to get into the key principles. I want to share the following principles with you:
· OAuth 2.0 is an authorization protocol and not an authentication protocol. It is designed for granting access to a set of resources.
· OAuth 2.0 in conjunction with OpenID Connect (OIDC) can be used for authorization as well as authentication.
· OAuth 2.0 uses access tokens for accessing resources. An access token is a digital key (typically in JSON format) that has information to authorize users to access a set of resources.
How It All Works
Let’s look at a simple example of how OAuth 2.0 works. Suppose we have a website called “My Website” and an OAuth 2.0 identity provider website, say google.com. Users are already registered on google.com and need to access resources from “My Website” without having to register again on “My Website.”
Let’s look at a simple example of how OAuth 2.0 works. Suppose we have a website called “My Website” and an OAuth 2.0 identity provider website, say google.com. Users are already registered on google.com and need to access resources from “My Website” without having to register again on “My Website.”
Step 1: A user clicks login link on “My Website”
Step 2: User is redirected by “My Website” to Authorization page on google.com
Step 3: User enters credentials
Step 4: google.com issues Authorization code to “My Website”
Step 5: “My Website” uses this authorization code to get “Access Token” from google.com
Step 6: Using the “Access Token”, “My Website” can then grant access to User to appropriate resources.
OAuth 2.0 Providers
There are quite a few identity providers which support OAuth 2.0 protocol. Here are some of them:
· Okta
· Auth0
· Google's OAuth 2.0
· Microsoft Azure AD
· AWS Cognito
· KeyCloak
· OneLogin
OAuth 2.0 Support in bTrade’s TDXchange
bTrade’s TDXchange supports integration with the OAuth 2.0 protocol to offer an easy and efficient way to connect with any standard OAuth 2.0 identity provider. TDXchange uses OAuth 2.0 in conjunction with OpenID Connect (OIDC) to enable secure Single Sign-On (SSO) for Admin as well as mailbox users using HTTPS. OAuth 2.0 support adds an extra layer of TDXchange security. TDXchange allows integrating with your standard OAuth 2.0 authorization servers thus eliminating the need to manage user credentials or roles in TDXchange.
By providing support for integration with OAuth 2.0 protocol with OpenID Connect, TDXchange provides the following benefits:
· No Direct Credential Sharing - All user credentials and information are secured on your IDP.
· Secure Authentication - Authentication methods and strict security rules can be enforced centrally.
· Revocable Access - Users and tokens can be revoked centrally across all applications.
· TLS Encryption - OAuth 2.0 requires use of TLS for secure transport channel.
· Selective Access Granting - Users can be selectively granted access to specific applications and to specific resources within those applications.
· Fine-Grained Access Control - OAuth 2.0 allows the use of scopes which enable users to grant or deny access to various resources.
· Single Sign-On - Users can use one set of login credentials to access multiple applications.
For more information about bTrade TDXchange, please visit the product page: https://www.btrade.com/solutions/tdxchange#tdxchange