 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
You likely have profiles on dozens of applications containing personal information. Originally siloed, these applications have become increasingly connected. Discord searches Facebook for suggested friends, Jira creates user accounts with Github profiles, and so on. This trend of applications talking to each other on your behalf is called “Delegated Access” and has become a necessary part of our online lives.
However, because of the way these applications protect their data, developers run into a challenge: how do we delegate access? Almost every application is protected by a basic username/password schema. To allow Application A to get the data it needs from Application B would require constantly logging into Application B on behalf of Application A — how unwieldy! The workaround was to give Application A the username and password credentials to log in to Application B, which was problematic for a few reasons:
OAuth was formed as a solution to this Catch-22 situation: how to provide delegated access without putting the end user’s data at risk.
Consider that Teslas have a “Valet Mode” for which you need a valet keycard. This keycard informs the vehicle that it is to operate with limited functionality, restricting the max speed and acceleration and locking the trunk. This technique is conceptually identical to how OAuth operates. The Tesla Owner gives the valet limited access to his/her Tesla without needing to provide the main vehicle key.
OAuth is quite popular for social media apps. You are likely familiar with requests like these:
Figure 1: Using OAuth, Spotify (client) is able to access Facebook (resource server) without credentials on behalf of Bob (resource owner)
When receiving a pop-up like this, the OAuth protocol operates in the background as follows:
Through the usage of grants and tokens, which we will discuss next, Spotify is given Bob’s valet card to his Facebook account.
Scopes and tokens are how OAuth implements subjective access controls. Together they represent a “permission to do something.” The token is the “permission” part and the scope defines what the “do something” is. Think of a movie ticket: the scope is the name of the movie you are authorized to watch and the ticket itself is the token, which only a theater employee can validate as authentic. From our Tesla example, the scope is what vehicle functions are enabled when started with the valet key. The access token is the valet key itself, which the Tesla vehicle can recognize only if the key was issued by the Tesla dealership.
Going back to our Spotify example: in Step 4, Spotify receives an access token to successfully query Facebook’s servers. This token is meaningless to Spotify, but Facebook is able to decode it and verify that Spotify was really given permission from Bob. Contained within the token is a field for “scope” which lets Facebook know what Spotify is allowed to do. In this case, it is read Bob’s public profile, email, friend list, and birthday.
Grants dictate the order of operations for Spotify to obtain an access token. These unique orderings are called flows. Going back to our movie theater analogy, there are two ways to be granted a ticket: (1) Purchase in the theater (2) Purchase online. The method you’ve chosen dictates what you will do to obtain the ticket. Purchasing in the theater may look like:
Whereas purchasing online could follow these steps:
As you can see, grants are not material things in the same way a token is, but instead, they inform which flow Facebook should use when communicating with Spotify. Differing grants are optimized for specific use cases and will affect which security measures apply.
OAuth, being an internet protocol, works over HTTPS. All communication between Facebook, Spotify and Bob happens by way of URIs in your browser. These URIs are queries with parameters included as part of the string. Contained within these parameters is the information Facebook needs, to understand which flow to follow.
Knowing which of the five grant types to use is essential to setting up the right OAuth flow.
Despite providing an often overlooked convenience, OAuth is a complex protocol with hundreds of different ways to be implemented. Before diving into the deep end and drowning in all the terms and concepts, understanding the basic conceptual structure will make treading water much easier.
