Sep 12, 2020

The World of OAuth Part 1

To prepare for a meeting I needed to read up on OAuth, and I would say it was really nice. Especially I liked how OAuth2 lightened the protocol by pushing the security concern over to the TSL protocol. In my view it seemed that OAuth 1 was giving a bit too much flexibility to the implementer. I also liked how the handshakes were being performed to ensure that the actors were who they said that they were. I feel like this kind of flows is a way of thinking that will become more and more common. It seemed familiar to me once I started to read up a bit on Web Hooks. It seems that this concept is to some extent using the same kind of token concepts as OAuth to ensure being safe.

Still, I find that OAuth has been eluding me. How does it really work? When reading up on it I understand why it has been eluding me. It is because OAuth2 is not just one flow. It is many.


We have four parties:

The Client can get access to the resource by presenting the correct Grant to the Resource Server. The Grant is basically the proof that the Client should be allowed access to the resource. There are different type of Grants available in OAuth2: