OAuth is defined in RFC 6749. It was designed with HTTP in mind and permits a user to login to multiple web sites using a single user account credentials. A classic example is logging in to a corporate website using the credentials available in Facebook.
NOTE: There are two versions of OAuth (1.0 and 2.0) and these versions are not compatible. OAuth 2.0 is the current adopted standard.
OAuth defines four roles:
- Resource owner – this is typically the end user, but it can be any system or computer
- Resource server – the host of the secured accounts; the server responds to the client
- Client – the application making a resource request
- Authorization server – the server that issues access tokens to the client once identity is verified
There are two flows types with OAuth. There is a two-legged authentication style that does not feature a resource owner. This is the type of flow you will often find when APIs are in use. This post focuses on the DevNet Pro exam objective of the three-legged authentication style that does feature the resource owner.
Here are the steps we must know in this OAuth three-legged authentication process:
Step 1 – the resource owner sends a request to the OAuth client application
Step 2 – the client application sends the resource owner a “redirect” to the authorization server
Step 3 – the resource owner connects directly with the authorization server and authenticates
Step 4 – the authorization server presents a form to the resource owner to grant access
Step 5 – the resource owner submits the form to allow access
Step 6 – the authorization server sends the client a redirection with the authorization grant code or an access token
Step 7 – the client application sends the authorization grant code, client ID, and the certificate to the authorization server
Step 8 – the authorization server sends the client an access token and optionally a refresh token
Step 9 – the client sends the access token to the resource server to request protected resources
Step 10 – the client can now access the protected resources on the resource server