qimono / Pixabay

When it comes to logging in and verifying our identities over the web, the fewer passwords we have to remember and enter for each account, the better. And the fewer times we have to submit those usernames and passwords over unsecured wifi connections, the less likely they are to get intercepted and compromised.

That’s why many app developers have turned to authorization frameworks to make life easier for users, and to safely and securely implement the sharing of user information between apps. If authentication is how an application verifies the identity of the user interacting with it, authorization builds on that to allow third-party applications to access your information via an API and a one-time “token” that grants access between the two.

For example, when your Spotify app asks if you’d like to log in using your Facebook account and it asks if you’ll grant Spotify to access Facebook and you click “Allow,” the app loads in your basic information, location, profile photo, friends, preferences, etc. The same thing goes for logging into Etsy with your Google account, or logging in to Pinterest, SoundCloud, or Nike Run Club with your Facebook account. That’s the Facebook OAuth implementation in action.

OAuth login screen

Without having to remember your individual username and password for each account, clicking “Allow” handles this for you, giving each third-party app the ability to access your information securely.

For developers who want to implement this into their apps, OAuth 2.0 has become one of the go-to frameworks to use. Here’s a look at how it works.

Authorization With The OAuth 2.0 Framework

OAuth 2.0 is the latest version of the OAuth framework. The protocol was originally designed with APIs in mind, but it turned out to be really well-suited to user authentication and has continued to evolve for that purpose.

What OAuth 2.0 does is provide developers with a framework for creating authorization “flows” in their applications. Rather than requiring users to go through the standard username and password login, and having to store sensitive information and passwords, developers can install and configure OAuth on an authorization server that “authorizes” an app to gather their information from elsewhere.

By clicking “Agree,” users are delegating access to their information via an API, which is granted through a token that’s submitted over an encrypted communication. The result? Protected information is seamlessly, securely shared between apps, whether it’s a desktop application, web application, native mobile application, or an IoT device.

Note: For APIs, authorization is sometimes more complicated solution than you need, when a simple API key might be a better fit. Read more in this article about API Security.

The Mechanics Behind Authorization

What’s involved in the authorization process? There are a few key players.

  • The end user, or “resource owner”: This is the individual using the client application who owns the resources (say, password and profile information) that the application needs to access.
  • The client application: This is the application the end user is using, like an online shopping site, email, or social networking application, that is attempting to access the end user’s information.
  • The resource server, or API: In smaller instances, this can be the same as the authorization server. This is the server that houses the protected user account the application is trying to access. An access token received from the authorization server must be presented before the user information can be retrieved.
  • The authorization server: This server acts as an interface where the user can authorize or deny the request to authorize the resource server. It allows the application to access that user’s information without the user having to directly enter his or her password.
  • Tokens: These are objects or strings that contain security credentials for a login session, unique user identifier, user privileges, expiration dates, and other information necessary to complete the authorization flow.

This diagram shows how the process works.

OAuth workflow infographic

OAuth Security

OAuth isn’t perfect when it comes to security, some have noted. Developers will still want to double down on security to avoid flaws in 2.0, paying attention to things like session management, encryption/obfuscation of stored data and IDs, and securing the source code of an app.

OpenID Connect

Built on top of OAuth 2, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build functional and secure authentication systems for mobile use. For users, it allows them to reuse their same credentials across multiple domains with an ID token, so they’re not required to register and sign in at each point. OpenID Connect can perform identity authorization and provide basic profile information for different clients, from web and mobile apps to JavaScript clients.

OpenID Connect is different from its predecessor OpenID 2 in that it’s API-friendly and fully integrated with OAuth 2.0’s capabilities.

More About Tokens

Access Tokens are the hallmark of the OAuth 2.0 specification, but what exactly are these convenient, random character strings that power the authorization and authentication of modern web apps? If you’ve ever signed into a new service or mobile app with your Facebook or Gmail account, you’ve already taken advantage of an access token. That app basically outsourced the role of the authorization server to a third party application, which then authenticated you the user when you typed in your username and password. It then issued an access token to the application, allowing it to pull the information it requires: your name, location, email, etc. The access token is simply a string of characters containing encrypted information that describes the security context of the interaction—an identifier, user permissions, and other data.

The most common types of tokens used by OAuth and OpenID include:

  • ID token: Introduced with OpenID Connect, an ID token is designed especially for user authentication, making it less API-focused. These uses JWT data format (JSON web token).
  • Access token: This token is issued by an authorization server, and it allows a client application to access protected resources on the resource server. It can be a JWT or a randomly generated value.
  • Bearer token: A specific type of access token.
  • Refresh token: (introduced with OAuth2) Access tokens’ lifespans can be pretty short, so having refresh tokens allows the application to continue receiving expired access tokens. They’re better for security reasons, too.

Token storage (much like encryption key storage) is important to ensuring the security of an app, so don’t let it fall to the wayside. These strategies will be different depending on whether you’re building a native app or a browser-based web application.

Implementing Authentication in Your App

The key to adding authentication measures to your app is to ensure you’re balancing security with usability. You’ll likely make trade-offs when making decisions about your specific implementation—and there will be lots of decisions to make.

Some programming language frameworks have authentication frameworks with built in support for OAuth and OpenID, like Apache Shiro for Java, Ruby on Rails’ Devise framework and Ruby’s OmniAuth, .NET’s OWIN framework, Python Social Auth and Django, and PHP’s Auth and opauth. Or, you can opt to integrate with a third-party service.

To get started with OAuth 2.0 specifically, you’ll need to register your application, noting the application’s name, address, and redirect URI where the authentication request is returned. (Note: That URI must be an “https” address because OAuth enforces TLS-encrypted connections.) After you’re registered, you’ll be given a client ID that’s used by the service’s API to identify your app when it’s making a request. Depending on the flow you want—whether it’s for a server-side application, a native mobile app, or API access—there will be different steps. This article has excellent tutorials for getting set up with each flow, if you want to learn more.

Ready to implement OAuth 2.0 on your application? Find a skilled OAuth developer on Upwork to get started.

Get more work done, faster with freelance help. Post a job today and get started!