Introduction to OAuth

Learning Objectives

• Know that OAuth uses tokens to secure APIs
• Understand the structure of a JSON Web Token (JWT)
• Understand the OAuth Implicit Grant Flow

What is OAuth?

OAuth (2.0) is an open standard for authorization using access tokens.

If you've signed up to a new application using Facebook or Google login then you’ve used OAuth. OAuth provides secure "delegated access" which means an application can access resources from a server on behalf of the user, without them having to share their credentials.

In the example below, we sign up to a new application, Canva, using our Google account.

Google asks us to login and requests that we allow Canva access to specific information (scopes) about our Google account to allow Canva to complete the sign up process.

Canva is never aware of our login credentials, Google takes care of the authentication process and issues an access token to Canva to allow it to access an API which will return specific profile information.

OAuth focusses solely on authorising access to resources. The authentication process is achieved through OpenID Connect which we will discuss in detail in a future lesson.

OAuth supports authorization for a number of different use cases including:

• Server-server
• Web Apps
• Single Page Apps
• Native Mobile App

Token structure

Whilst OAuth does not mandate any specific format for tokens, the recommendation is to use JSON Web Tokens (JWTs). A JWT is easy to identify, it is three strings separated by a .

Here is an example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXNzYWdlIjoiSGVsbG8gZnJvbSBNdWx0aXZlcnNlISJ9.UaobFhVDPjPLdQFpXCkvojm7jxMY-wfyfzo7ORoFI4A

Use https://jwt.io to see the secret message hidden inside this token!

A JWT is made up of 3 parts:

• Header - specifies the type of token and the cryptographic algorithm used to sign the token
• Payload - contains a set of "claims" such as the time the token was issued, its expiry time etc.
• Signature - verifies who sent the token and that the token has not been tampered with

What makes OAuth secure?

• Token management means we can track each device that uses the API and revoke access if required
• Tokens expire, making it very hard for them to be reused
• OAuth provides 'scopes' which allow for fine-grained authorization e.g. only allow access to this specific API method for these specific user types

Assignment

1. Sign up or login to Spotify. This will give you access to the Spotify API endpoints which are secured by OAuth.

2. Study the request/response details of the Get Artist API endpoint. Test the endpoint using the Console.

3. Enable Chrome Developer Tools and study the HTTP requests made when "Get Token" is selected and when "Try It" is selected. Hint: Enable "Preserve log" so you can see all messages across calls and "Disable cache" so you don't get cached results.

4. Study the access token, is it a JWT?

5. Read the 'Implicit Grant Flow' section of the Spotify Authorization guide. This is the OAuth flow used by the Single-Page Application (SPA) Spotify Developer website. Note that there are other types of OAuth flows depending on whether you are building an SPA, Regular Web App or calling from machine to machine.

6. Create a sequence diagram which illustrates this OAuth Implicit Grant Flow used by the Spotify Developer website. Add messages which illustrate how tokens are obtained and the flow if the Spotify user is not logged in.

7. Commit your sequence diagram to GitHub and share the link with your coach for review.

Assignment extension tasks

Study the other authentication flows detailed in the Spotify Authorization guide. What are the differences between them and in what scenario is each one used?

Additional resources

For further reading about OAuth you may find these resources useful:

• Illustrated guide to OAuth and OpenID Connect

• What the heck is OAuth