Question

Many consumer web services let users use their Google account or Facebook account to log in to the service without having to create a new account. This is a form of access control covered in the lecture. Explain how this mechanism works. What are the protocols that are used?

Please provide a detailed explanation, and also provide the source (web link) of information as well. Thank you so much.

Answer 1

Why use OAuth2

Users Need To Remember Their Credentials

Users can register or log in to any application that uses OAuth2 without using any credentials such as email id and / or password. They just need to authorize the app to access their information from the selected OAuth provider. This step is performed only simultaneously.

Blocking Safety Holes

On the OAuth2 machine, the user does not provide passwords to log in or sign up for the app. Therefore, from a development perspective, developers do not need to store a user password. This, in fact, prevents the misuse of password storage.

Developer OK

Developers can easily use OAuth2 in the app. They just need to go through the technical documentation of a particular OAuth provider. For example, if you log in and / or sign up for Facebook operations need to be done, the developer needs to visit the official docs page of the Facebook provider OAuth.

Ability to manage non-web clients

In the OAuth2 authorization process, the system that sends requests to the authorization server is known as the client. A client can be a browser, mobile app or other device. That's how OAuth2 manages non-web clients as well.

How OAuth2 works

Before discussing OAuth2's working principle, it would be best to discuss the key roles played by each component in this protocol.

App Owner: Means the user who gives permission to authorize the app to access his account. The scope of authorization determines the app's access to the user's account.
Resources or Authorization Server: Authorization server is responsible for verifying user identity. A resource server refers to a server that holds secure user accounts.
Client: Refers to an application that logs into a user account. However, in order to do so, it must be authorized by the user, and that authorization process must go through the verification process carried by the API.
Now, you know the roles that each part plays; let's talk about OAuth2's complete workflow in simple terms.

OAuth is a standard open protocol or framework that explains how unrelated servers and services can securely secure guaranteed access to their assets without sharing a real logon. In the name of authentication, this is known as security, third party, user-agent, authorized.

Examples of OAuth

A simple example of OAuth is when you sign in to a website and it provides one or more opportunities to sign in using another website / service logon. Then you click on a button linked to another website, another website confirms it, and the website you were linking to install it yourself and use the permission obtained from the second website.

Another common example of an OAuth situation would be a user sending cloud files to another user via email, where cloud storage and email programs are unrelated to OAuth framework support . When the end user attaches files to his or her email and browsers to select files to attach, OAuth can be used to secretly allow the email system to authenticate and browse to protected files without the need for a second logon in file storage. Another example, provided in the OAuth 2.0 RFC, the end user uses a third-party printer to print image files stored on an unrelated web server.

In all cases, two or more services are used for one transaction by the end user, and every end user would be happy to be asked to make a second transaction on what they feel is a single transaction. For OAuth to work, end-user client software (e.g., Browser), compatible services and authentication providers must support the correct OAuth type (1.0 versus 2.0).

Explains OAuth

When trying to understand OAuth, it may be helpful to remember that OAuth scenarios often represent two sites or unrelated services that are trying to achieve something on behalf of users or their software. All three must work together including allowing multiple transactions to be completed in order to be authorized.

It is also helpful to remember that OAuth is all about authorization in particular and not directly about certification. Authentication is a user / title process that proves the identity of the presented identity, by providing a password or other unique or revered item. Authorization is the process of allowing resources to access a study after proving effective authentication, often elsewhere. Many people think that OAuth represents open authenticity, but it is very helpful to understand it by thinking of it as open AUTHorization.

The first launcher describes OAuth as similar to the car’s valet key, which can be used to allow the valet to temporarily drive and park the car, but it does not allow the owner to reach full, unlimited access as standard keys. Instead the car can be driven for just a few miles, cannot reach a trunk or a locked glove box, and can have many other limitations. OAuth basically allows the user, through a proven authentication provider with which they have been successfully verified before, to provide another website / service limited access token for authorization for other applications.

In addition, OAuth 2.0 is a framework, not a rule of thumb (as in version 1.0). It would be like all car manufacturers agree on how valets will automatically request, receive and use valet keys, and what those valet keys will look like in general. What valet keys can do compared to full function keys will be for each car manufacturer. As in real life, valets and car owners do not have to pay attention to how everything works. They just want everything to work as hard as they can when they move the key.

How OAuth works

Suppose a user is already logged in to one website or service (OAuth only works using HTTPS). The user then initiates a feature / activity that requires access to another site or service that is not related. The following is possible (greatly simplified):

• The first website links to the second website on behalf of the user, using OAuth, providing a guaranteed user identity.
• The second site generates a one-time token and a one-time secret that separates transactions from the parties involved.
• The first site provides this token and secret to the beginner user's software.
• Client software delivers the application token and password to its authorization provider (which may or may not be a second location)
• If it is not verified by the accreditation provider, the client may be asked to authorize it. After verifying the authenticity, the client is asked to approve the authorization transaction on the secondary website.
• The user allows (or his or her software approves silently) certain types of transactions on the original website.
• User is provided with an access access token (note that it is no longer a request token).
• The user provides an approved access token on the first website
• The first website provides access to the second website as proof of authenticity on behalf of the user.
• The second website allows the first website to access its site on behalf of the user.
• User sees successful completed transactions take place.

• OAuth is not the first system to verify authenticity / authorization to work this way on behalf of the end user. In fact, many authentication programs, especially Kerberos, work similarly. What is special about OAuth is its ability to work across the web with its wide acceptance. Successful in adoption rates where previous attempts have failed (for various reasons).
  Although not so simple, web codes seem to easily understand the transactions involved. OAuth compliant website can be done in a few hours to a day (as soon as you have done it before). With a little extra effort, guaranteed website access could be extended to hundreds of millions of additional users. There is no need for a website to have its own authentication system with great scalability. You can find an example of a single HTTP transaction pack here.