oAuth

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

OAuth was actually intended to handle the Authorization. It was actually meant for a service to authorize another service.

Example:

• Document Printing Website [Client]
  • Once the User is Authenticated
  • The user can either upload a document [Resource] OR
  • Provide a google drive link [Resource Owner] through which it can be retrieved
  • Now with the google drive link. Can the client download the document from google drive?
    • Yes, if it's shared. But that will make the document shared globally
    • No, because Google doesn't trust the Client
  • To solve this purpose, a standard OAuth has to be implemented by both the services
    • By Implementing the OAuth, google can give access to the Client to the User's data
    • But the User should give access to the Client to only download the documents nothing else (delete, create etc..)
    • So it should have restricted access and not the complete access
    • So this should be implemented by the google

Standard Versions

• OAuth 1
• OAuth 2

Process

• Google to implement the OAuth and have the accesses defined
• When user selects google drive to upload document
• Client asks google to download the file through the OAuth flow
• Google doesn't trust the Client and so requests the Users indicating the requested access from the Client
  • It also informs the User on all the permissions that the Client has requested for
• Once User validates this request, Google creates and sends the Client a Token* indicating that the Client has access tot he requested permission
• The Client uses the access token and requests for the document download access
• Google validates the Token and based on the Token Validity & it's permissions,
  • Rejects
  • Approves and sends the document

Token* = A token is created by Google. Ex: JWT Token.