Auth Technology

Retrieving Resources From Resource Server Using OAuth Technology

What Are This Resource Servers?

Basically resource servers are the servers which are storing users (clients) information. These servers are belongs to their companies. As an example Facebook is the owner of Facebook resource server.

Why do we need to retrieving resources from resource servers?

The answer is, for convenience of the clients/customers. In day-to-day life we have to provide our details to various kind of web applications when we are going to log into them. In such kind of situations we have to fill almost same applications/web forms again and again for same purpose. This process is a very annoying one and also time consuming.

Auth is the secure authorization solution for this problem. Once we created a Facebook or Gmail or any kind of web account , using their resources/login details we can login to another web application within limited access of resources.

Since the last 10 years most of the popular web applications have implemented their resource servers. Facebook, Google, flicker, Yahoo, amazon.it are the examples. And  as third parties we are free to use those resource servers within client consent.

What is OAuth?

Auth is an open-source authorization framework, that allows a third party website or web-application to access an user's/client's data with his/her approval/consent and also without the user providing login details. 

OAuth defines four major roles:

1. Resource server: Mentioned in earlier
2. Client
3. Resource owner
4. Authorization server

Client

Client is the third party application that wants to access resource owners information form resource servers.

Resource Owner

Resource owner is the person who owns the account. As an example if you think your face-book account, you are the resource owner of your face-book account.

Authorization Server

Authorization server is a server which likes a ticket counter. Using this server client/third party application obtains authorization code or we can call it as an access token. This process is fully depend on resource owner response to the authorization request made by the client. If the resource owner grant the authorization, then only client can request to the authorization server for asking access token.

OAuth has three main end points:

Two authorization server end points 

1) Authorization end point - In Authorization server.

• Used by the client to obtain authorization from the resource owner via user-agent redirection.

2) Token end point - In Authorization server

• Used by the client to exchange an authorization grant for an access token, typically with client authentication.

One client/third party application end point

3) Redirection end point - In Client/Third party application

• Used by the authorization server to return responses containing authorization credentials to the client via the resource owner user-agent.

Authorization Grant

An authorization grant is the legal representation of client/third party to obtain the  access token form authorization server, which is provided by resource owner.

There are four authorization grant types used for different use cases.

1. Authorization code grant type
2. Implicit grant type
3. Client credentials grant type
4. Resource owner password credentials grant type

Authorization code grant 

Obtained by using an authorization server. Used for develop a server side web application. That means we have a web site and if we trying on a web server, that web application wants get resources from above web server. In such a case we have to use authorization code grant type.

In here client requests authorization grant from resource owner and using that grant, client again requests access token from authorization server. After get it, by presenting that client requests the resources from resource server. Before providing the resources which has client request, resource server will validate the access token from connecting with authentication server.

Implicit 

The implicit grant type is an another grant type that made for single web pages created using script language such as JavaScript. In this process, instead of issuing the client an authorization code, the client is issued an access token directly. As a result of that there is no intermediate credentials (authorization code from resource server) are issued. That means authorization server does not authenticate the implicit grant type.

Client credentials 

The client credential grant type can be used as an authorization grant when the authorization is limited to the protected resources under the control of the client. Basically this client credentials are used as an authorization grant , when the client is acting as on its own behalf. As a result of that there are no authorization endpoint and redirection end point in the client credentials grant type. 

Resource owner password credentials

In other grant types client doesn't know resource owner's password. But when it comes to the password credential grant type, third party application must know the user's username and password for get an access token. In such a case the credentials should only be used when there is a high degree of trust between the resource owner and the client. It recommended, in scenario is like where the client it self from the original vendor. As an example when we are using face-book mobile application we have to give the password and username of our face-book account. In that case we know and trust the above third party application. Because we know that it is from face-book vendor it self.

Access tokens eventually expire. After that expiry period obviously client have to perform above process again for take the new access token. However some grants respond with a refresh token when the access token comes to the expire. We can define it as an another grant type.

Refresh token grant

• Only support for authorization grant type.
• Only valid for one time ( Until getting new access token).
• After getting new access token, it will come up with new refresh token and previous one is discarded.
• Used for remove the user interaction with gaining again and again access token when it expires.
• Valid period is high.

Flow of OAuth Technology

In here I used simple real world scenario to explain the above oauth flow.

Client/Third party application = Ikman.lk  moblie application

Resource owner = Anjula

Authorization server = Face-book authorization server

Resource server = Face-book 

Now I want to login ikman.lk moblie application from using my face-book account.

(A) :- Ikman.lk mobile application requests authorization from Anjula (resource owner) to access his protected face-book resources. This can be done by directly with Ikman.lk (client) and Anjula (resource owner) or via Face-book OAuth server (authorization server). If the Face-book OAuth server directly enrolled with this process , the request from the Ikman.lk is goes to Face-book OAuth server authorization endpoint. It depends on the grant type that we used.

(B) :- Ikman.lk moblie app receive an authorization grant from Anjula, which is a representation of resource owner's authorization.

(C) :-  Ikman.lk app request an access token from the face-book authorization server by presenting the authorization grant received from the Anjula. This is done by sending a request to the face-book authorization server's token endpoint. 

(D) :- Face-book authorization server authenticate and validate the authorization grant and if it is valid then only issue an access token from face-book authorization server.

(E) :- Ikman.lk provide the access token to face-book resource server and requesting the protected resource from that server.

(F) :- Face-book resource server validate the access token provided by ikman.lk app connecting with face-book authorization server. If that access token is valid one provide the resources which are requested by Ikman.lk moblie application.

This is the correct flow of OAuth technology and I have developed a sample of  OAuth technology.
You can download full source code from my git-hub account. 

Link is here : OAuth technology sample

Simply you can read the readme file and work with this sample code.