# Oauth

- also known as open authorization, it is an open-standard authorization framework
- OAuth 2.0 is the industry-standard protocol for authorization.
- OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
- This specification and its extensions are being developed within the IETF OAuth Working Group.

## Defining OAuth Roles

- Roles are a key part of the OAuth protocol. These roles enable the authorization process to happen seamlessly and securely.

OAuth roles can be broken down into four key categories:

- Resource Owner: this tends to be the user that authorizes an app to access their account. Usually, access is limited and apps will only be given read or write access.
- Resource Server: this server hosts a user’s accounts or data.
- Client: this is an app that requests access to a user’s account or data. For this to happen, a user must authorize access and this authorization also needs to be validated by an API.
- Authorization Server: this server’s role is to verify the user’s identity and issue access tokens to the app.

## Access tokens and authorization codes

While OAuth roles are important, another key part of the authorization process is access tokens and authorization codes.

Access tokens are pieces of code that contain huge amounts of data about users, acting as the key that gives apps access to an API. These tokens are passed from a server to a user’s device, working to verify a user’s right to access specific resources.

Each access token contains these three core components:

1. Header: data about the token’s type and which algorithm was used to create it.
2. Payload: specific details about the user (such as their access permissions and expirations).
3. Signature: confirms the authenticity of the token through verification data that is hashed and difficult to hack.

Interestingly, access tokens are standardized and don’t need to follow any particular format. However, these tokens are key to the security model of OAuth, including:

- The OAuth client isn’t the intended audience of the token. That means these tokens can’t be read or interpreted by the client.
- These tokens don’t share the identity of the user with the client.
- Plus, tokens should only be used to make requests to the resource server.

So, how are these access tokens created? That’s where authorization codes come in.

These are temporary codes that clients exchange for access tokens. Each code is provided from an authorization server, giving the user the ability to see what kind of information the client is requesting. At this point, a user can approve the request or even deny the request.


## OAuth flow types

OAuth flows differ in the way you acquire and validate tokens, meaning each flow type is suited to specific sets of needs and scenarios.
1. Authorization Code Flow
Link to this section

Authorization Code Flow exchanges authorization codes for tokens. For this exchange to work, your app must be server-side because you’re exchanging your app’s Client Secret which has to be stored securely in your client.

The Authorization Code grant type follows these steps:

- The app opens a browser sending the user to the OAuth server.
- The user approves the app’s request following an authorization prompt.
- The user is redirected back to the app with an authorization code.
- The app exchanges the authorization code for an access token.

2. Client Credentials Flow

The Client Credentials Flow allows apps to exchange their Client Secret and Client ID to an authentication server. This authenticates the user without any user involvement and returns a token.

The Client Credentials Flow is typically used for machine-to-machine (M2M) apps like daemons, CLIs, and back-end services. Instead of a user having to request authorization, the system authenticates the app so no username and password credentials are involved in the process.

The Client Credentials Flow type follows these steps:

- The app authenticates the OAuth Authorization Server using the Client ID and Client Secret.
- OAuth Authorization Server validates both the Client ID and the Client Secret.
- An access token is issued to the app.
- This grants permission to access the API with the user account.

3. Resource Owner Password Flow

The Resource Owner Password Flow asks users to enter credentials, including their username and password using an interactive form. In this flow type, credentials are passed on to the back end and can be stored for future use, meaning the app has to be trusted completely with this information.

The Resource Owner Password Flow isn’t generally recommended aside from scenarios where the apps are completely trusted and other types of redirect flows (like the Authorization Code Flow) can’t be used.

The Resource Owner Password Flow type follows these steps:

- The user logs into an app with their login credentials.
- The application stores and forwards the credentials to the OAuth Authorization Server.
- The authorization server validates the credentials and gives out an access token, and sometimes a refresh token too.
- This allows the app to access the API with the user’s credentials.

4. Implicit Flow with Form Post

Implicit Flow with Form Post uses OpenID Connect (OIDC) to execute a web-sign in. The web app solicits and retrieves tokens through the front channel without needing secrets or back-end calls. This type of flow functions like WS-Federation and SAML and doesn’t require you to use, keep, or secure secrets in your app.

Implicit Flow with Form Post is typically used by apps that don’t want to locally store secrets and follows these steps.

- The user logs in to the app.
- The user is redirected to the authorization server which passes along a response type parameter of an ID token that specifies the type of requested credential.
- The authorization server redirects the user to the login and authorization cue.
- The user authenticates using a login option and may be given the option to see a consent page listing the permissions given to the app.
- The authentication server redirects the user to the app with an ID token.

5. Hybrid Flow

The Hybrid Flow is used by apps that can store client secrets securely which provides your app with instant access to an ID token, while simultaneously providing secure retrieval of access and refresh tokens.

For apps that need immediate access to user data on an ongoing basis, the hybrid flow can be handy. The Hybrid Flow is a combination of the Implicit Flow with Form Post and Authorization Code Flow and follows these steps:

- The user logs into an app.
- The app redirects the user to the authorization server passing along an ID token and authorization code.
- The authorization server redirects the user to the login and authorization cue.
- The user authenticates using a login option and may be given the option to see a consent page listing the permissions given to the app.
- The authorization server redirects the user back to the app with an ID token, an authorization code for one-time use, and an authorization token.
- The app then sends a code to the authorization server with the app’s Client ID and Client Secret and the authorization server verifies the Client ID, Client Secret, and code.
- The authorization server provides a second ID Token and Access Token which is used to call an API to access the user’s information.
- The API then grants access to the data requested.

6. Device Authorization Flow

The Device Authorization Flow lets users authenticate without asking for their login credentials which enhances the user experience for devices that don’t provide an easy option to enter text. In this flow, device apps transfer the user’s Client ID to bring about the authentication process and receive a token.

Device Authorization Flow is typically used on Smart TVs which lets you authenticate an app on your TV through your smartphone or laptop.

Device Authorization Flow works using two different pathways. The first pathway occurs on the device that is requesting authorization (for example a smart TV) and the second pathway occurs in the browser.

In the browser code path, the device code is limited to the session in the browser which occurs simultaneously with the device flow path.

7. Authorization Code Flow with PKCE
Link to this section

The Authorization Code Flow with PKCE is created to authenticate public client applications (for example, native and mobile users). This flow uses a proof of key code exchange (PKCE) which is used for public clients because they don’t have a secret, meaning they can’t authenticate themselves.

There are significant security risks when public clients request access tokens that aren’t alleviated by the Authorization Code Flow. For both native and single-page apps, they can’t securely store a Client Secret.

At the start of the flow, the PKCE makes the app produce a random value called a Code Verifier. The app hashes the Code Verifier which results in a Code Challenge that then works as a normal flow plus a Code Challenge.

The Authorization Server then stores the Code Challenge for future verification and redirects back to the app with an authorization code once the user authenticates. The app then asks to exchange the code for tokens, and the authorization server compares the Code Verifier to the hashed value it stored previously.

## How to choose the right OAuth flow

There are a bunch of different OAuth flows which all have specific uses for different needs and cases. Picking the right OAuth flow will depend on the app and the specific scenarios and requirements, like the level of trust between the resource owner and client application, and desired user experience.

## OAuth grant types

A grant is a method of acquiring an access token. This means OAuth 2.0 grants are a set of steps that the client will have to go through to get resource access authorization. The authorization framework will provide several different grant types to address different scenarios.

In short, there’s an OAuth grant flow and type to suit most use cases.
1. Authorization Code Grant

Authorization Code Grant is the most widely used grant type to authorize the client.

In this scenario, the authorization server will return a single-use authorization code to the client, which is then exchanged for an access token.

This is the best option for traditional web-based apps, where the exchange can happen securely on the server side. The client’s secret cannot be stored securely so authentication during the exchange is limited to the use of the client ID alone.

2. Proof Key for Code Exchange (PKCE)

PKCE is a security-centric OAuth grant type. The main concept behind this grant type is proof of possession. This essentially means the client app needs to prove to the authorization server that the authorization code is authentic before being issued an access token. The PKCE flow includes a code verification measure and code challenge.

Interestingly, PKCE can be traced by the older grant type, the Implicit Grant Type. With no authorization code, the client app would receive the access token instantly after getting the end user’s consent. Since this flow took place entirely through browser redirect, it proved very risky and was not secure enough. From there, PKCE was born.

3. Device Code Grant

The device code grant type is used by browserless or input-constrained devices, used in the device flow to exchange a previous device code for an access token.

This grant flow usually goes like this:

- A client authorization server receives an access request from the kitchen (usually including its client identifier)
- End-user and device codes are created and shared by the authorization server, and the end-user receives a verification URI
- The end-user needs to utilize a user agent by the client, and then enter the end-user code to review this request
- The end-user is authenticated by the authorization server through this user agent, prompted to enter the user code
- The authorization server checks this code and asks the user to accept or decline the request
- The authorization server is asked by the client to verify if authorization is complete
- Once the server has validated the device code received by the client, access is granted and an Access Token is issued

4. Client Credentials Grant

This type of grant is used specifically by clients for non-interactive applications. For example, automated processes. In this case, the application would be authenticated by using the client ID and secret.

5. Refresh Token Grant

This is a type of grant flow that involves the exchange of a refresh token for a new access token. This allows clients to have a valid access token without having to interact with the user.

After the client sends a POST request to the authorization server a JSON object is provided. It’s also important to remember that Refresh Tokens operate differently from Access Tokens, meaning they are never sent to resource servers and only interact with authorization servers.

## Tips for choosing the right OAuth grant type

The first step to implementing the OAuth framework is to select the right authorization grant type to suit your case. This usually depends on your application type, but other factors weigh in too, such as the level of trust between your clients or the kind of experience you want users to have.

Here are some things to consider to help you select the right OAuth grant type::

- First-party or third-party client: A first-party client is one you trust enough to handle the end-users authorization credentials. A third-party client is one that you don’t trust.
- Access token owner:  If you’re authorizing a machine to access resources and you won’t require the permission of a user to access the resources, you should implement the client credentials grant.
- Client type: Depending on whether or not the client is capable of keeping a secret will depend on which grant is most suitable for the client. For example, if the client is a web app that has a server-side component you should implement the authorization code grant.
