Understanding OAuth2 Authentication in Web Applications

By Udit Agarwal


The OAuth2 authorization framework enables users to grant permission to an application to interact with another on their behalf without revealing their encrypted password. It can also be called open authorization 2. Access tokens enable the access to third-party services without exposing user credentials.

OAuth2 aims to provide applications with designated and protected access, enabling users to engage with the secure sections of a website without the need to create a new account with new credentials.

Let us understand the concept more with the help of an example; you want to tweet a story you are reading on social media. Clicking on the tiny blue bird icon on the webpage prompts a window to appear, asking you to log in to the website. By logging into the website at that moment, you will allow the website to make a post on your account feed without providing the password. 

OAuth2 uses authorization tokens to prove identity between consumers and service providers like Twitter, Facebook, and Google, instead of sharing the password. Most users are unaware of what is happening in the background. OAuth2 believes in offering and delivering much-needed functionality for users who are required to engage with different services that require sign-on.

OAuth2 authentication

What is the workability of OAuth2?

OAuth2 is all about authorization and not authentication. Authentication involves proving your identity to access an application or system. You need permission to access specific data or areas in an application or system, which you can get by requesting it.

The “auth” part of “OAuth2” stands for authorization, not authentication. OAuth2 provides temporary tokens to authorize secure keys instead of users and service providers passing credentials.

Authorization Flows

Resource Owner Password Credentials

Resource-Owner Password Credentials flow has some of the requisites:

•        Since the client manages its users’ credentials, it must be a highly trusted, first-party app.

There is an involvement in some of the following steps:

1.       The client prompts the user to enter their credentials (username/password combination).

2.       The client performs the role of transmitting the credentials and its own identity to the authorization server. The authorization server validates the information further returns an access token and, optionally, a refresh token.

3.       The client uses the access token to access resources on the resource server.

OAuth2 authentication

JWT (JSON Web Tokens)

OAuth2 frequently references tokens, but their generation and usage have received little attention. The format of tokens and refresh tokens is not specified by the OAuth2 framework. It is the responsibility of developers to integrate tokens into their chosen authorization flows. Theoretically, one must be used to a predefined string that never expires as the access token. It is not secure. However, many developers choose to make utilization of the JWT (JSON Web Token) format. A JWT is a self-contained token that enables servers to validate it without querying a data source.

A JWT is inclusive of three parts:

•        A header describing the type of the token,

•        A payload containing the data,

•        A signature for verifying the token.

The three parts are Base64URL encoded to enable a secure transfer in a query string.

Developers can apply hashing algorithms to the JWT and its payload, which includes pre-defined registered claims. The Beginner’s Guide uses the RS256 algorithm and specifies two standardized statements in the JWT’s payload.When receiving a JWT, the server first checks whether the specified algorithm in the header is supported. After the completion of the entire procedure, it makes checks over signatures to make sure that the JWT is valid or not. Lastly, the system verifies the legitimacy of any existing registered claims. In the case of this guide, it makes sure that the JWT hasn’t expired (exp) and comes from an expected origin (ISS). Developers can manually extract and validate custom claims, such as scopes, from the token.

Let us digitalize your ideas.