There are several advantages of using Open Authorization 2.0 (OAuth2.0) framework for accessing resources from a server, over the more traditional ones like Basic or Form authentication, prime being the peace of mind of end user. With OAuth2.0 end users do not have to worry about sharing their credentials with a third party application allowing it to access data from main server on their behalf.
There are obviously other advantages like easy mingling of OAuth2.0 with other security protocols like SAML, providing granular access to resources etc., but scope of this article would be making end users secure by allowing them not to share their credentials with any third party applications.
So what's the best way for training a developer on OAuth2.0, who has experience of authentication using Basic and Form standards, show him a sample and show it's not complicated as is the normal perception.
I love the analogy which is used on IBM Smartcloud documentation page to explain OAuth2.0, here is the scenario
1. Mike asks Paul to go to the bank on his behalf.
2. Paul gives Mike his previously registered ID to submit to the Bank.
3. Mike goes to the Bank, proves his own identity, and then submits Paul's ID to register Paul as his courier.
4. Bank confirms with Mike: "Do you want to allow Paul to access your assets?"
5. As Mike trusts Paul, he agrees.
6. Bank grants a temporary code to Mike.
7. Mike passes the temporary code to Paul.
8. Paul immediately goes to the bank to submit the code because the code is short-lived
(if Paul waits too long the code expires and the process must begin all over again).
9. Bank validates the temporary code submitted by Paul.
10. Bank issues Paul a token that lets him bypass the registration check for the next two hours.
11. Paul accesses Mike's assets. (Note: The Connections Cloud implementation of OAuth 2.0 provides unlimited access to user resources).
12. Within 2 hours, Paul must renew the token so he can continue to access Mike's assets.
As you can see, Mike never shares his banking credentials directly with Paul, instead all Paul has is a temporary token to do transactions on behalf (or impersonating) Mike. This is critical since cases of user credentials being stolen from such third party app stores is becoming all common these days, consider what would happen if the ecommerce site where you stored your card details gets hacked ?
Getting the code part of things
Application Registration
For a third party application wishing to leverage OAuth2.0 on IBM Connections Cloud, it has to register itself with I BM Connections cloud platform. It also has to provide a Callback URL while registering, this is the url where Smartcloud will redirect user to on successful authorization, so it is important to finalize this before application starts registration process.
Upon successful registration platform returns with a ClientId and Client Secret..
OAuth2.0 Dance : Process of an application leveraging OAuth2.0 is often referred to as OAuth2.0 dance.
Step One : When user tries to access Third party application, and it recognizes user is not logged in, it redirects user to the IBM Connections Cloud authorization page using a url like below
https://apps.na.collabserv.com/manage/oauth2/authorize?response_type=code&client_id=<client_id>&callback_uri=<callback_uri>
Once user enters right credentials, an explicit question is asked if user wants to allow 'third party application' to access his data on server
Step Two : IBM Connections Cloud returns with a 302, with the target value header having the value of applications callback url. It also includes a special token called Authorization token.
Here is the format used
https:///<callback-uri>?code=1236879.
Step Three : Third party application then exchanges this authorization code with access token from host server. Here is the api call it would be making
https://apps.na.collabserv.com/manage/oauth2/token?callback_uri=<callback_uri>&lient_secret=<client_secret>&client_id=<client_id>&grant_type=authorization_code&code=<authorization_code>
IBM Connections cloud then returns with access token, which application can use to make api calls on behalf of end users.
Below are some diagrams which explains the above process
Incase you are looking for a sample implementation look at
1. https://github.com/OpenNTF/SocialSDK
2. https://www.youtube.com/watch?v=BW6t-WeEGs0
