OAuth key Terminology Explained

If you are dealing with OAuth or starting to learn about this. It is very important to understand a few key terminologies before you begin. These are terms you will encounter in OAuth implementations, articles and pretty much anything to do with OAuth

Fun Fact: it’s impossible that you have not encountered or used OAuth so far. Do you remember this from Facebook :)

well that’s OAuth implementation

In this article, we will try to understand all this technical term with a simple example

What is OAuth?

You may find several definitions but the closet one which I felt is this:

OAuth is a delegated authorization framework for REST/APIs. It enables apps to obtain limited access (scopes) to a user’s data without giving away a user’s password.

Let’s set the Context !!

You want to create a Birthday collage for your friend through this Photo collage app. And all this photo which you want to use are available in Google Drive

Terminology

1. Resource ( Protected Resource ): Resource can be understood as the object which is desired by all the actor in this flow. In our example, we want a photo that resides on Google Drive.
2. Resource Owner: The resource owner is the person who is giving access to some portion of their account. The resources can be data (photos, documents, contacts), services (posting a blog entry, transferring funds), or any other resource requiring access restrictions. Any system that wants to act on behalf of the user must first get permission from them. In our case “The User” is a resource Owner who wants to use this photo that resides in Google Drive.
3. Client: An application that accesses protected resources on behalf of the resource owner (such as a user). The client could be hosted on a server, desktop, mobile or other devices. In our example “Photo Collage App” is the client.
4. Resource Server: A server that sits in front of protected resources or more correctly holds the resource. The resource server must be able to accept and validate access tokens and grant the request if the user has allowed it. The resource server does not necessarily need to know about applications. In our case, “Google Drive” is a resource server.
5. Authorization Server: A server which issues access tokens after successfully authenticating a client and resource owner and authorizing the request.

Generally speaking, it’s resource server responsibility to provide authorization and make sure that resource is secured. In our example, we have Google Drive that is coupled with Authorization Server and that makes sure that photo is secure and anyone who access this photo has is authorized to do so.

6. Access Token: A token used to access protected resources.

7. Authorization Code (Flow Dependent): An intermediary token generated when a user authorizes a client to access protected resources on their behalf. The client receives this token and exchanges it for an access token. This will make much more sense when you deep dive into OAuth flow.

Conclusion :

We have learned the key terminology used in OAuth. Now when you deep dive into different OAuth flow or other implementation it will be easy to understand all the different flow and actors involved in this OAuth realm.