OAuth 2 protocol

OAuth 2 is the most common protocol for authorization. The protocol allows services and application to get access to specific scopes of data.

OAuth 2 roles

The protocol defines four roles:

Client: a system that requires access to some protected resourses;

Resourse Owner: the system or a person that owns the resource and can grant access to it. When the resource owner is a person, it is referred to as an end-user;

Authorization Server: the server that can issue Access Token to the client upon authentication and consent by the resource owner;

Resourse Server: the server that get request to the specific protected resources from the client and returns this resources if client's Access Token is valid.

OAuth 2 Tokens

Access Token can be used to get protected resources according to the scopes that resource owner give consent to.

Refresh Token is often granted by the authorization server alongside with Access Token. It can be used to get another pair of tokens when previous Access Token expired. Refresh Token has longer expiry time and is single-used.

JSON Web Token or JWT is a method for representing Access Token. It contains all needed data about authorization server, client and resourse owner, as well as granted scopes. JWT is cryptografically signed by the authorization server and can be validated using public keys named JWT Key Sets or JWKs. JWKs are provided by the authorization server.

Simple Examples

First example is a website "some-website" that allows it's users to show their email and/or profile picture from some social network. In this case Resourse owner is a user of a some-website and a social network, client is a some-website and a social media serves as authorization server and resourse server.

Second example is a website "some-website" that allows users to authenticate via some social network. Resourse owner now is a user of a social network, authorization server is a social network and both client and resource server is a some-website.

The special scope "openid" which are part of OpenID Connect protocol are used for authentication. More about this protocol is in it's dedicated page.