7 Steps To Understand OAuth2

It’s widely used to grant third-party applications limited access to user resources without sharing passwords.

The protagonists

You have the following protagonists involved:

User: The person who wants to access a resource.
Client: The application the user wants to use to access the resource.
Authorization Server: The server that issues the access token after verifying the user’s identity and permissions.
Resource Server: The server hosting the user’s resources that the client wants to access.

Key Steps

Authorization Request: The client requests authorization from the user to access resources.
User Authorization: The user grants or denies the authorization request.
Authorization Code: If the user grants access, the authorization server provides an authorization code to the client.
Access Token Request: The client exchanges the authorization code for an access token by making a request to the authorization server.
Access Token: The authorization server issues an access token to the client.
Access Resource: The client uses the access token to request the resource from the resource server.
Resource Delivery: The resource server validates the token and provides the requested resource to the client.

Sequence Diagram

Below is a sequence diagram illustrating these steps:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


User            Client                Authorization Server         Resource Server
 |                         |                            |                        |
 |-- Access request ------>|--- Authorization Request ->|                        |
 |                         |                            |                        |
 |<-- User Authorization (consent screen)---------------|                        |
 |                         |                            |                        |
 |-- Consent granted ---------------------------------->|                        |
 |                         |                            |                        |
 |                         |<-- Authorization Code -----|                        |
 |                         |                            |                        |
 |                         |-- Access Token Request --->|                        |
 |                         |                            |                        |
 |                         |<----- Access Token --------|                        |
 |                         |                            |                        |
 |                         |--- Access Resource Request ------------------------>|
 |                         |                            |                        |
 |                         |<------ Resource Delivery ---------------------------|
 |                         |                            |                        |

Detailed Steps

Authorization Request: The client application redirects the user to the authorization server with a request to access resources.
User Authorization: The user is presented with a consent form where they can approve or deny the client’s request.
Authorization Code: Upon user approval, the authorization server redirects the user back to the client application with an authorization code.
Access Token Request: The client application sends the authorization code to the authorization server in exchange for an access token.
Access Token: The authorization server validates the authorization code and issues an access token to the client.
Access Resource: The client uses the access token to request resources from the resource server.
Resource Delivery: The resource server validates the access token and returns the requested resources to the client.

This way, the user’s credentials are never shared with the client application, and the client can only access the resources it has been authorized to use.

Follow me

Thanks for reading this article. Make sure to follow me on X, subscribe to my Substack publication and bookmark my blog to read more in the future.

Photo by Pixabay.