From the course: Spring 6: Spring Security

Introduction to OAuth 2.0

- [Instructor] While OAuth and OAuth 2 are probably two of the most common authentication and authorization schemes on the internet today, they're also some of the most confusing and misunderstood. So before we get too deep into using OAuth 2 with Spring Security, I want to just talk very briefly about what OAuth 2 actually is. So what is it? OAuth 2 is a protocol as well as a framework for providing access to HTTP services. It's often used for third party access, so if you use social media and you grant an application access to your Facebook profile, for instance, that's done through OAuth 2. Google provides the same sort of structure with its frameworks. It's so common that you may not even realize you're doing it, but OAuth 2 really is all over the place. It can also be used for system-to-system communications in standalone mode or on behalf of another user. And from my perspective, this is actually the most common use case that I use because we actually secure all of our web service calls with OAuth 2, between the client and server on purpose in order to make sure that we're protecting the data as needed. Now, there are several key components of an OAuth 2 system. The first is the resource owner, and that's the data that is actually being protected. For instance, my profile data in Google would be the resource, and I'm the owner of that data because it's about me. Now, the client is the application that, for instance, I am using or a service that is being used on my behalf that is requesting access to the resource itself. The resource server in my previous use case would be Google's profile system itself. So it is the system that hosts the protected data in the accounts that we're requesting access to. And the authorization server is the service that grants tokens on behalf of me to the data that the resource server itself holds, that the application is requesting. Now, there's a couple token types and we need to know about these tokens as we're interacting with OAuth 2 at a systemic level. The first is the access token, and this is the secret token that is used to identify the user. Often it is very short-lived, and that's on purpose because that token uniquely identifies me and whatever permissions I've associated with it. As such, we don't really want it to live for a long time because if it gets leaked, the security breaks down very quickly. Now, the refresh token is a little bit longer-lived token. It is used to renew an access token when that access token expires. So you may have an access token that lasts for a day, and you may have a refresh token that lasts for a week. So what that means is, is if I log in today, I use my access token. If I come back tomorrow, I would use the refresh token to renew my access token. However, if I don't come back for another 14 days after my refresh token and my access token will have expired, and I will have to go through the process of granting access once again. Now, scopes are provided on the access tokens, and it's essentially the rights that are associated with the token. So for instance, in a server side component, let's say we have a service that serves customer data. We would grant read access to another system that says you can access customer data while not providing that same scope to a different access token. Now, I kind of alluded to it here, but there's a couple of different types of grants, and those grants impact flow throughout the system. The authorization code grant is the most common, and that's what you would use if you see something on Facebook or Google where you're granting access to someone else on your behalf or usually an application. Now, an implicit grant is a very common grant that is used in web apps and mobile apps where the security of that access token cannot be maintained. Often these don't come with refresh tokens, and they're very specific to a function of the application being granted access. Now, the one that I use most often, as I alluded to previously, is the concept of a client credential. Each system gets a client ID and a secret that it uses to get an access token and then do its work within the system based on the scopes that we previously defined. Now, that's like 100,000-foot view of OAuth 2, and it is by no means an in-depth explanation of every key component of OAuth. If you're really interested in understanding OAuth more, I provided a text document as part of this chapter to give you some ideas, but of course, you can take it much deeper than I've provided you with this text document itself.

Contents