OAuth (2.0) is an open standard for authorization using access tokens.
If you've signed up to a new application using Facebook or Google login then you’ve used OAuth. OAuth provides secure "delegated access" which means an application can access resources from a server on behalf of the user, without them having to share their credentials.
In the example below, we sign up to a new application, Canva, using our Google account.
Google asks us to login and requests that we allow Canva access to specific information (scopes) about our Google account to allow Canva to complete the sign up process.
Canva is never aware of our login credentials, Google takes care of the authentication process and issues an access token to Canva to allow it to access an API which will return specific profile information.
OAuth focusses solely on authorising access to resources. The authentication process is achieved through OpenID Connect which we will discuss in detail in a future lesson.
OAuth supports authorization for a number of different use cases including:
Whilst OAuth does not mandate any specific format for tokens, the recommendation is to use JSON Web Tokens (JWTs). A JWT is easy to identify, it is three strings separated by a .
Here is an example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtZXNzYWdlIjoiSGVsbG8gZnJvbSBNdWx0aXZlcnNlISJ9.UaobFhVDPjPLdQFpXCkvojm7jxMY-wfyfzo7ORoFI4A
Use https://jwt.io to see the secret message hidden inside this token!
A JWT is made up of 3 parts:
Sign up or login to Spotify. This will give you access to the Spotify API endpoints which are secured by OAuth.
Study the request/response details of the Get Artist API endpoint. Test the endpoint using the Console.
Enable Chrome Developer Tools and study the HTTP requests made when "Get Token" is selected and when "Try It" is selected. Hint: Enable "Preserve log" so you can see all messages across calls and "Disable cache" so you don't get cached results.
Study the access token, is it a JWT?
Read the 'Implicit Grant Flow' section of the Spotify Authorization guide. This is the OAuth flow used by the Single-Page Application (SPA) Spotify Developer website. Note that there are other types of OAuth flows depending on whether you are building an SPA, Regular Web App or calling from machine to machine.
Create a sequence diagram which illustrates this OAuth Implicit Grant Flow used by the Spotify Developer website. Add messages which illustrate how tokens are obtained and the flow if the Spotify user is not logged in.
Commit your sequence diagram to GitHub and share the link with your coach for review.
Study the other authentication flows detailed in the Spotify Authorization guide. What are the differences between them and in what scenario is each one used?
For further reading about OAuth you may find these resources useful: