What is OAuth 2.0 in layman's terms?

What is OAuth 2.0 in layman's terms?

The OAuth 2.

0 specification defines a system for authorization and access that lets you: Get permission from a user to access his or her information. Use the user's permission to generate and send an access token to the app requesting the permission. Send the access token to your server along with an ID, a password, and other access data. At your server, you use the ID and password to validate the access token and return permission to access the user's data. The authorization server can be as simple as a web form or as complex as a secure server that is specifically designed for authenticating requests. A web form authorization server requires a little code on the app developer's end, but the user experience isn't very gooda pop-up window has to be displayed to the user to request permission. A secure server requires some work to design and maintain. However, the user experience is much better because the user isn't forced to open another browser window.

How does it work? OAuth 2.0 is a relatively new protocol designed to make it easy for an app to access another's resources without getting the app itself access to those resources. Think of it as a layer of security that sits between the app developer and the resource owner, like the way a firewall sits between you and the resources on a web server.

What are the requirements for this security layer to work? You need an access token. You don't have to set up a server with web forms to get one, but if you do, that means every app in your system would need to request access to your servers to get one. It is recommended that you have a server that only validates access tokens and issues them.

You need a grant type. In OAuth 2.0, there are three types of grant types: permission grant, refresh token grant, and client credential grant. A permission grant is what the user gives the app permission to access the resource owner's data. An example of a permission grant is when you ask the user for their name, and then later you use the name to contact them. The refresh token grant gives your app a way to get a new access token without having to ask again.

Why is a bad idea to use OAuth 2.0 for authentication?

Let's say the OAuth 2.

0 spec has a requirement of "user must accept terms and conditions". Does it still matter if the browser allows any app access to your Facebook or Instagram account? It's trivial to implement the user acceptance terms on all modern browsers. So is there any reason a user would actually be prompted for their consent again and again if they have to click once to agree to it?

If you are asking why they have that clause, then that's answered above (trivial to implement) and in the link provided. The answer to your other question is that they don't want the user to be confused. The user can be confused and have no idea what's happening, they are presented with their password and then get this pop up box.

It's a trade-off and they are trying to make sure that when the user clicks that button they are going to the right place and know that they are granting access to their accounts.

What is the difference between SSO and OAuth?

I'm reading about the different authentication methods that might be available on a website.

On the one hand, OAuth is a specification for exchanging data between a consumer (ie your app or server) and a provider (ie the website). The data can be anything but is mostly application-specific and doesn't involve access to private data on the site.

On the other hand, SSO is something completely different: it is just authentication. The consumer sends its credentials to the website (through an interface like a Web page or an app) and it doesn't get involved in other stuff.

Is there any difference between the two or they are both just authentication? The two concepts are orthogonal to each other. SSO works with a trusted party on the server side. OAuth can work with trusted parties, but does not require them.

SSO can be used within OAuth, but requires that the OAuth-provider is known, such that a user can authenticate using their Google credentials, and receive a token from that authentication. So, if you use a third-party provider in the backend, you need to make sure the provider knows all the users that should be allowed access.

If you want to have authentication for an user, without trusting any third party, SSO is your friend. This is typically used for "login by yourself" and can be provided by, eg, Twitter, Facebook or Google.

As you mention in a comment: a trusted backend service for authentication (but not storage, nor access) can be used as a provider for OAuth.

Related Answers

Is magic link better than password?

Well, I think it's a way for me to learn about the new ways to make it easier to do t...

What does SASL mean?

SASL stands for Simple Authentication and Security Layer. It's...

What is the difference between SSO and OAuth?

SASL and SSL, both are protocols used by applications to perform secure socket lay...