Written by Lê Trần Xuân Phương (XP) from Safewhere team
OAuth 2.0 is widely expanded along with the grow of social media networks these days since it is the most common technique behind the scene to integrate social media login to an application that requires account registration.
When talking about OAuth 2.0, many people (developers either) think about the authentication, security or SSO thingies. Hence, let’s briefly look through web authentication mechanism history to reveal the truth about OAuth 2.0 before talking about its usages and how it brings benefits to your applications.
From a very old day, the simplest pattern, which is also the most familiar to everyone, is HTTP basic authentication. This is a simple challenge and less security mechanism that a server can request authentication information from a user. Each web application has to manage to store or protect its own credentials database.
Time flies, the number of websites and services was rising rapidly, a user would want to access to multiple sites at once. Federated identity concept and SSO on the top of it were born as a revolution. In which, a web application (aka service provider or sp) is secured by an identity provider (aka idp). Firstly, the end user needs to contact to identity provider to negotiate a security token (known as cryptographically signed token) and then secondly hand it off to the SPs to access these sites. That means the web applications delegates the authentication and security matters to its idp. Hence, if a user is already authenticated, he/she will be allowed to access to those sites’ resources without worrying about permission anymore which is illustrated as following image.
Another important note is that at the first years of 21st century, most of the websites are heavy and its interaction happening on browsers only. That’s reason why the first and the most popular specification for Federation/SSO was known as SAML 2.0, an OASIS Standard released on March 15, 2005. SAML 2.0 specification contains lots of open standards and one of which is specially designed for web SSO. It uses session cookie storage in web browser to keep user’s identity which contains identity claims and is signed by idp to access to webapps. Hence, it would be a problem for using SAML 2.0 out of web browsers.
The modern web technologies Many years later, web technology has jumped to another stage. Now we have modern web, mobile, device-based applications and specially the expanding of social media networks (Facebook, Google, Twitter, etc) which have different behaviors than the traditional web application. Instead of loading the whole application data from its own server, it tends to make AJAX calls to internal/external REST API service.
So does the way people build their web service. Now they prefer to use REST or stateless APIs than WCF service. For a common REST APIs service, it would be shared to a lot of applications as well as lots of different kind of devices. As the result, SAML 2.0 significant advantages are not viable anymore in this situation. Using basic HTTP authentication is not a good option either since the service has to share user credentials around to many client applications. So, it turns to a question that how to give access to an application without giving it user’s credential. That is about authorization matter, not authentication anymore.
That’s the time OAuth 2.0 became popular.
Would you like to work with the coolest IT guys in Vietnam? Apply to one of the following jobs:
Job requires a high level of technical skills and experience within Microsoft technologies and offers high salary, exciting projects, and constant challenges in terms of technology and design.Tell me more
Want to have fun developing innovative Xamarin products? We are developing a number of exciting games and social applications of our own as well as supporting third party clients.Tell me more
Job requires both good English as well as the ability to understand complex technical subjects and systems. You will mainly be writing SEO articles and guidelines for our many products.Tell me more
Knowing Ionic framework or NodeJs is a plus, but is not mandatory.
2 Senior Developer positions in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.Tell me more
1 Senior QA/Test Engineer in an Offshore Development Center team. You will work directly with a Danish Project Manager at our Vietnam office. The initial project is for a multinational French company.Tell me more