## Authentication with OAuth2

Some of you may have already used APIs that require passing a specific key, to authorize the API calls. So the question naturally comes up: Why is that not sufficient for authentication?

Here are a few reasons:

* We often want our application to **act on behalf of a user** (e.g., retrieve the list of friends of a user on Facebook, and do some analysis on behalf of the user). OAuth allows for such delegation, without requiring the app to have access to the login credentials of the user.
* Acting on behalf of a user also allows the quota to be adjusted on a per-user basis, as opposed to a per-app basis. (So that the creators of very popular apps do not have to increase the quota for their own key)
* Users often want to give limited set of priviledges to the app (e.g., read only my profile, no posting).
* Users want to be able to selectively remove access for specific apps, without having to change the credentials for other apps.

So, how does OAuth achieves that?

## OAuth2 flows

Fundamentally, we have the following steps:

* The app sends the user to a login page. The login page asks the user whether the user really wants to grant these permissions to the app.
* The user logs in and grants the permissions. This generates an **authorization code** that the API sends back to the app (by **calling back a _redirect URL_**)
* The app uses the authorization code (which proves that the user has granted permissions), and calls the API, asking for an **access token**.
* The **access token** can then be used by the app to call the API on behalf of the user.

The picture below illustrates the OAuth2 flow:

<img src="https://assets.digitalocean.com/articles/oauth/abstract_flow.png">

Also these two tutorials explain in a simplified manner the details of the authentication process:
* https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
* http://aaronparecki.com/articles/2012/07/29/1/oauth2-simplified

