Photo: Caitlin Ochs for The New York Times
Today we are going to learn about OAuth
OAuth (2.0) is an open standard for authorization. It controls authorization to a protected resource such as an API.
If you’ve ever signed up to a new application and agreed to let it access your Facebook data or phone contacts, then you’ve used OAuth. OAuth provides secure delegated access which means an application can access resources from a server on behalf of the user, without them having to share their credentials. It does this by allowing an Identity Provider (we will be using Auth0) to issue access tokens. The token informs the API that the bearer of the token is authorized to access the API.
Photo: Caitlin Ochs for The New York Times
In a nightclub, when you enter and pay your entry fee, you will often be stamped or presented with a bracelet to ware on your wrist. This shows the security staff on the door that you have paid, and you can enter and leave the club for that evening. The bracelet or stamp is like a token the club (Identity Provider) has issue. With a legitimate stamp or bracelet the door staff (API middleware) check it and then if its ok let you in (to the controller).
Let's look at this diagram which illustrates the OAuth flow we are going to be using to secure our API resource:
It's important to understand the difference between OAuth and OpenID-Connect. OpenID-Connect is a small extension to OAuth. OAuth is for authorization whereas OpenID-Connect is for authentication. OAuth allows you to give a 3rd party app partial access to your resources (e.g. your Google calendar). OpenID-Connect let's you sign-up and login to an app using your credentials from another app (e.g. "Sign up using Facebook").