What is OAuth 2.0

OAuth 2.0 stands for Open Authorization and has been created for the purpose of permitting a website or an application to gain access to resources which are hosted by different web applications. 

This is done on behalf of a user. In other words, OAuth 2.0 gives access with consent and also limits those actions on resources which can be executed by the client application on behalf of the user, without sharing the details of the user.

OAuth 2.0 is a standardised protocol which is used across the industry to get authorization. While the main purpose of this protocol is to maintain flow of authorization for web and desktop applications, it also ensures simplicity of the process for the client developers.

Principles of OAuth 2.0

OAuth 2.0 primarily runs on a few principles which have been listed below-

‍

Authentication or Authorization

• It is important to not confuse OAuth 2.0 to be an authentication tool. It is only an authorization tool with the focus being on allowing access to certain sets of resources.

Access Tokens

• OAuth 2.0 requires an Access Token. An access token is in the form of data which shows the authorization for accessing resources and does this on the end-user’s behalf. 
• There is no fixed format for Access tokens, but the most commonly used format is JSON Web Token. This way, the issuers of the token are able to integrate the data with the token. Access tokens also come with expiration date to keep security intact.
• It is interesting to know that one access token can give different levels of access to many APIs. Scope is one parameter which manages the resources to which access token gives permission.

How OAuth 2.0 works

The process of working of OAuth 2.0 is fairly simple:

• The first step is to seek client credentials. Next, a request is raised by the client application to get an access token from the server. At this stage, there are one or more than one values sent to the scope parameter.  
• This is followed by extraction of a token from the response.
• The token is sent to the particular API that needs to be accessed. Sometimes, it may be required to refresh the access token as they are applicable for a limited time.

Conclusion

OAuth2.0 supplies the authorization workflow for web, desktop applications, and mobile devices. It is a server side web app that uses authorization code and does not interact with user credentials.

OAuth 2.0 replaced OAuth 1.0 in 2012 and is now the de facto industry standard for online authorization. If your organisation hasn’t moved to using OAuth 2.0 yet, you can opt to upskill your team in API Testing and QA with a personalised training curriculum matching your requirements. 

Now that we have discussed about Access Tokens, it is imperative that we discuss JWT which has become increasingly famous for maintaining security of APIs.