In this tutorial, we are going to learn OAuth 2.0. OAuth 2.0 is developed by the IETF OAuth Working Group, published in October 2012.OAuth is an Authorization framework that enables your application to access other resources without sharing the password.
What is OAuth 2.0?
OAuth 2.0 is developed by the IETF OAuth Working Group, published in October 2012.OAuth is an Authorization framework that enables your application to access other resources without sharing the password. OAuth is also an Open Authorization protocol that allows your application to access
User Account Data on HTTP services such as Facebook, GitHub. It uses Authorization code and does not interact with user credentials.It provides authorization flows for web and desktop applications, and mobile devices. OAuth also enables the application to obtain limited access to user resource.
There are following Roles associated with OAuth.
Resource Owner :
Resource Owner is a User or person capable of granting access to the protected resource.
1- Client :
A Client is an application making the request to the protected resource on behalf of Resource Owner with its authorization. A client can be a Web-Based, a mobile or a desktop application.
2- Resource Server :
Resource Server is the hosting server where your protected resource is hosted. The Resource Server is capable of accepting and responding requests to the protected resource from the client.
3- Authorization Server :
The Authorization Server is responsible for issuing Access Token to the client after successfully authenticating the resource owner.
4- Access Token :
Access Tokens are the credentials sent by the client to resource server to access the protected resources. It is generally a combination of the string of a specific scope, Expiry time and other access attributes.
5- Refresh Token :
Since an Access Token has an Expiration time in case of Expiration the client can request new access token to the Authorization Server using the refresh token issued by the Authorization server
Advantages of OAuth 2.0:
Suppose I am providing an API (whether it is SOAP-based or RESTful) to a customer. One way to secure it we can use basic authentication where the username and password are sent using Base64 encoding and SSL is used to secure the data transfer. The drawback of this approach is the user sends username along with password over the wire.
With OAuth 2.0 in order to make the API secure, we don’t need to send UserName and Password. In order to make a request instead of UserName and Password, we sent Access Token.
Disadvantages of OAuth 2.0:
it will produce a wide range of non-interoperable implementations If you are adding more extension at the ends in the specification, which means you have to write separate pieces of code for Facebook, Google, etc.
If your favorite sites are connected to the central hub and the central account is hacked, then it will lead to serious effects across several sites instead of just one.
- Introduction to REST and HTTP.
- Introduction to ASP.NET Web API.
- Message Exchange Pattern (MEP) in WCF.
- What is WCF Contract?.
I hope this is a helpful topic for you. I would like to have your feedback, comments, and suggestions.