What is OAuth?
- IAM Glossary
- What is OAuth?
OAuth, or Open Authorization, is an open standard that allows users to grant third-party applications access to their resources without requiring them to share their login credentials. Instead of users exposing their passwords, OAuth authorizes third-party apps using temporary access tokens to grant access on the user's behalf.
For example, suppose you're using a third-party app like Mailchimp, a popular email marketing tool, and want to import your Google Contacts to build an email list. Instead of manually downloading and uploading each contact to Mailchimp, OAuth enables you to securely connect your Google Account to Mailchimp, granting limited access to your contacts without exposing your password.
OAuth vs OAuth 2.0: What's the difference?
OAuth, or OAuth 1.0, requires each authorization request to be signed with a cryptographic signature. This means the third-party app must sign the request with a shared secret key, which the authorization server must replicate to verify the request. While cryptographic signatures ensure the request has not been altered, they do not encrypt the data, so it is vulnerable to being intercepted or stolen while in transit.
OAuth 2.0 simplifies the authorization process by replacing cryptographic signatures with HTTPS encryption, providing secure end-to-end data transmission. OAuth 2.0 uses short-lived access tokens and refresh tokens to enhance security by minimizing token exposure. It also offers greater flexibility by supporting several different authorization flows based on the type of application, such as web apps, mobile apps and server-to-server communication.
| Feature | OAuth 1.0 | OAuth 2.0 |
|---|---|---|
| Security | Uses cryptographic signatures with a shared secret key for each request. Prevents tampering but not interception. | Uses HTTPS/TLS encryption for secure end-to-end data transmission |
| Token system | Single token type with no standard expiration | Uses short-lived access tokens and refresh tokens for better security |
| Request verification | Both the app and server must generate matching signatures to verify requests | TLS handles the encryption and verification of requests |
| Authorization flows | Single flow for all use cases | Multiple flows supporting different application types (web, mobile, server-to-server) |
| Implementation complexity | Complex due to cryptographic signature requirements | Simpler implementation due to reliance on HTTPS |
| Modern usage | Less common in modern applications | Industry standard for modern applications |
| Security tradeoff | Additional signature security layer but more complex | Relies on TLS security but is simpler to implement correctly |
| Recommended for | Legacy systems that require signature verification | Most modern applications and APIs |
While both OAuth and OAuth 2.0 are practical options, OAuth 2.0 is recommended because it is easier to implement and more commonly used in modern applications.
How OAuth works
Here is a step-by-step guide on how OAuth 2.0 works using the Authorization Code Grant flow:
- User initiates authorization: A user wants to grant a third-party application (called the client) access to their resources hosted on a server. This typically begins when the user clicks a button like "Log In with Google" or "Connect to GitHub" on the client application.
-
Client requests authorization:
The client redirects the user to the authorization server's authorization endpoint. The request includes parameters such as:
client_id,redirect_uri,response_type=code,scope, andstate(for CSRF protection). The user may then be prompted to authenticate (if not already logged in) and approve or deny the requested access. -
Authorization is granted: If the user approves the request, the authorization server redirects the user's browser back to the client's
redirect_uri. An authorization code is included in the URL along with thestateparameter, which the client should verify to ensure the request wasn't tampered with or intercepted. -
Client requests an access token:
The client sends a request to the token endpoint to exchange the authorization code for tokens. This request must include:
authorization_code,client_id,client_secret(if applicable),redirect_uri(must match the original request) andgrant_type=authorization_code. - Client receives access and refresh tokens: If the request is validated, the authorization server issues an access token to authenticate API requests and a refresh token to obtain new access tokens when the current one expires. The client stores these tokens securely and uses the access token in API requests.
-
Client uses refresh token:
When the access token expires, the client can request a new one by sending a refresh token request to the token endpoint. To obtain a new access token, the client must send a new request to the token endpoint with the following criteria:
client_id,client_secret,refresh_token, andgrant_type=refresh_token.
OAuth advantages
Using OAuth offers several advantages, such as reducing the risk of credential theft, improving the user experience and enabling Single Sign-On (SSO).
Reduces the risk of credential theft or misuse
OAuth eliminates the need for users to share their credentials directly with third-party applications. Instead, it relies on an authorization server to manage access, significantly reducing the risk of credential exposure, especially in the event of a data breach. OAuth 2.0 uses short-lived access tokens that grant limited access to resources for a specified time. These tokens can be revoked by the user at any time, ensuring that access remains temporary and under the user's control.
Improves user experience
OAuth simplifies the user experience by allowing users to access multiple accounts and resources using their existing accounts, eliminating the need to create separate usernames and passwords for each service. This speeds up access and reduces the hassle of managing multiple sets of login credentials.
Enables Single Sign-On
OAuth enables SSO by allowing users to log in once with a trusted service provider and then use multiple apps without re-entering credentials. As long as the user remains logged in to the provider, they can seamlessly use other apps connected to the same account. For example, a user logged in to Google can also access apps that rely on Google for authentication.
OAuth disadvantages
Despite its advantages, OAuth has some security risks, including the possibility that tokens can be compromised if not securely stored or transmitted, and that users may still be vulnerable to phishing attacks.
Tokens can be compromised if not securely stored
Access tokens and refresh tokens are valuable targets for cybercriminals because they provide direct access to user data and resources. If tokens are stored improperly, threat actors can compromise them, potentially leading to unauthorized access and compromised accounts.
Tokens can be compromised if not securely transmitted
If tokens are sent over an unsecured connection, such as using HTTP instead of HTTPS, they can be intercepted by a Man-in-the-Middle (MITM) attack. Once compromised, a token can be used to gain unauthorized access to a user's resources.
Susceptible to phishing attacks
OAuth relies on redirecting users to an authorization server to grant permissions, but this process can be exploited in phishing attacks. In a phishing attack, an attacker lures users into entering credentials on a fake login page that impersonates the legitimate authorization server. If users fail to notice the difference, they may unknowingly enter their credentials, giving attackers access to accounts and sensitive data.
