Join Keith Casey for an in-depth discussion in this video What is OAuth 2.0, and why does it matter?, part of Web Security: OAuth and OpenID Connect.
- [Narrator] So let's talk about OAuth and later on we'll talk about OpenID Connect. Most people think they understand OAuth. Unfortunately, most people are wrong, OAuth is not a password sharing mechanism or protocol, it's not even a log in process, it's not even a way to establish a user's identity. The misunderstanding comes down to authentication versus authorization. These are effectually known as authN and authZ, respectively. Authentication is who are you, as accomplished through a login process of some sort.
On the other hand, authorization is what can you do, and depends on authentication, but they're not interchangeable. So to be clear, OAuth is a framework for sharing authorization. In fact, if you dig in to the specification, which, don't worry, we will later, you'll find it doesn't address authentication at all. Instead, OAuth is a framework that you can plug additional components in to. Whether they're specifications are common patterns, it doesn't matter. It's effectively a process that says, I don't know who you are, but I trust this other provider, like Facebook, that it will tell me what you're allowed to do.
My favorite analogy here is checking into a hotel. When you check into a hotel, you present the front desk clerk with proof of identity via driver's license or a passport. This establishes who you are. Further, you provide billing information via credit card. Somewhere behind the scenes, they use your identity information to look up your reservation, your account status, and other things related to you, then they issue you a keycard. Encoded in that card is what you have access to, which hopefully will include your room, but it could also include the gym or the work out room.
It might also include the executive lounge. The best part of all this is that your identity and billing information never leave the front desk. This is fundamentally how OAuth works, so OAuth is great in scenarios where you don't want to share credentials or maybe personally identifying information with the target website. For example, you can grant access to your Facebook account to a social media management platform without sharing your Facebook password. This is even more important once we start talking about industries like banking, insurance, and anything else that's highly regulated.
For example, you can grant access to your Facebook account to a social media management platform without ever sharing your Facebook password. This is even more important once we start taking about banking, insurance, and other highly regulated industries. Now we haven't touched on OpenID Connect yet, but don't worry, that's coming up soon.
- How does OAuth 2.0 work, and what problems does it solve?
- What is OpenID Connect, and how is it different from OAuth?
- OAuth tokens and their usage
- Authorization in microservices
- Common security considerations
- Authorization for mobile apps and SPA
- Authorization in legacy applications
- Server-side implementations