An overview of OAuth2
What is OAuth?
OAuth is an authorization delegation protocol uses for authorize services, which requests coming from an external services. And giving them granular permission for specified APIs. What does that means? Assume you want to signup for some website. The below of the signup page, there is signup via the google button. Definitely you should prior experience regarding signup or/and sign in via google account.
For the signup process the website need some information from you, like your name, username/email kind of things. Which depends on the requirements.
Once you click that ‘signup via the google’ button the web site need to get those information from google rather than getting directly from you. How can they do that? can you assume?
One thing we can assume is that, if sing up page can ask your google credentials (username and password) , and passing them to the google side, so which could get the required details from the google side. Oh wait!! do you want give your google account credentials to another party? Definitely you will not do that.
Hmm. that’s where OAuth comes in to the party. In case here once you click the sing up via google button, the client web site redirect you to google side with their client_id and callback_url. Then google will ask your credentials (Ask you to login to google account) and also it may ask allowing confirmation.
hey this man is asking your these information, do I need to allow them?
once you verify by pressing the allow button in google site. Google will allow it for some of your limited resources based on requirements and redirect to the (callback) client website with some unique secret key.
Now client web site have their client id and the client secret (key given by the google), then client get the access token from the google OAuth server. Then can access the resource server by using access token.
Here is the full data flow:
Once user redirect to the client side (5) user will not feel other steps.
Here is the user experience,
- Customer click the Login with google button
- page redirect to the google side and ask your credentials.
- Allowing confirmation (some cases, optional)
- external site get your basic data from the google. Like name, email address, profile picture etc…
