OAuth 2.0 and OpenID Connect
with Ash Ketchum and his Pokémons
Imagine the number of registrations you have to do on various sites , huge hassle right? Typing username , email , gender , etc. is a tedious task to do in scenarios where you just want to register and get your work done. On the other hand you are a geeky dev who wants to implement “Authorization” and “Authentication” in your application (web , mobile , etc.) but still don’t want to bug the user to type this long information for you or you simply want to access some information on his behalf from Google like his contacts . How do you do this , securely and conveniently (at least for the user 😜) ;
Lets keep the names aside and talk plain English here . We’ll divide our whole post into two sections — “Authorization” (OAuth 2.0) and “Authentication” (OpenID Connect).So take your Coke Cans out and lets turn some caffeine into some code 😉.
Authorization Reloaded
What is authorization ? Why do we need that ?
Imagine you are Ash Ketchum the legendary Pokémon master . You fight various leagues and collect Pokémons. As you have a limit on the number of Pokémons you can keep with yourself so you leave your Pokémons in none other than Professor Samuel Oak’s laboratory.
Professor Samuel hired an assistant named Rocket from Rocket Inc. Rocket was responsible for giving Pokémons to their respective owners whenever they requested but Professor Oak didn’t trusted anyone with PokeBall repository ,he would himself open the repository using Owner’s credentials and give their Pokémon to Rocket .
Rocket was appointed to ask owners their credentials and take those credentials to Professor Oak and get their Pokémon. The owners were a bit worried about their credentials getting misused but Professor requested everyone not to be worried as Rocket is a very trusted person , despite of Professor’s assurance owners started removing their PokeBalls from Professor Oak’s laboratory .
For geeks ,this could be a better way to understand the scenario :
getPokemon(username , password ,pokeBallId){ //Rocket's function
if(professorAuthenticates(username,password)){
return getPokeBall(pokeBallId);
}else{
return "Wrong Credentials";
}
} What is the issue here ? Inspite of Rocket being a trusted person we cannot give our credentials to a third party. Can we do better ? Can we remove the risks involved in exposing our credentials without compromising functionality? Turns out that we can.
OAuth 2.0 :
After all this chaos , Professor decided to use OAuth to solve the issue. Now let’s see how the “Authorization” occurs . The owners now no longer require to reveal their credentials to rocket , now whenever someone asks Rocket to get their Pokémon , Rocket makes a phone call to Professor Oak and hands over the phone to the owners , now Professor Oak asks the owners to tell their credentials and after the credentials are verified and “consent” is given , Professor Oak returns an Auth Code to Rocket. After receiving the Auth Code , Rocket requests for an Authorization token. After receiving this magical token , Rocket can go and use that token to take the Pokémon out and deliver it to the owner without having the need to know the credentials.
What problem did this mechanism solve ?
Answer : The credentials have to be only revealed to Professor Oak , owners can choose to give consent to Rocket via Professor Oak to bring their Pokémons and Rocket can conveniently do his work .
For the mighty Geeks this pseudo code might help to make the view clear :
initiateCallToProfessorOak(){
username = getUsernameFromOwner();
password = getPasswordFromOwner();
if(userIsValid(username , password)){
if(consentOfUser() == true){
return genAuthCode();
}else{
return null;
}
}else {
return null;
}
}getPokemon(pokeBallId){
authCode = initiateCallToProfessorOak();
accessToken = getAccessToken(authCode);
if(accessToken == null)
return "Something Went Wrong";
else
return getPokeBall(accessToken);
}
OAuth 2.0 has some terminologies which I will discuss in the next post , but I’ll introduce them here to set the stage up :
- Resource Owner : Ash and other owners.
- Client : Rocket (Person who requests authorization).
- Authorization Server : Professor Oak.
- Resource Server : Professor Oak’s Lab.
- Authorization Grant : Phone Call .
- Redirect URI : Rocket (after the permission ,phone is handed to Rocket).
- Authorization Code : Auth Code that Rocket get’s from Prof. Oak.
- Access Token : Magical token to take Pokémons out from lab.
Stay tuned for more details on OAuth 2.0 and OpenID Connect, in next post I’ll describe more about OAuth 2.0 and how OpenID connect powers up OAuth 2.0 to use it for authentication. Till then keep your passwords safe 😉;
