What is OAuth and how does it secure REST API calls?

api rest authentication oauth oauth-2.0
35,943

Since most of providers use OAuth 2.0 and OAuth 1.0 has been deprecated by major providers, I will explain OAuth2.0

What is OAuth?

OAuth is an open standard for authorization, commonly used as a way for Internet users to log in to third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.

you can implement your own OAuth server, here I am explaining about social auth. so the term OAuth here after refers to social auth with OAuth.

In layman's terms, OAuth lets users login to your web service with accounts(Facebook, Google etc).

Terminology:

  • client: The user of your API.
  • Resource Owner (api server): Your API
  • Authorization Server (auth server): Facebook/Google etc auth server.
  • Authorization grant: the method by which you authorize a user. we are using Authorization code here.
  • Authorization code: A code that the auth server returns to the client which can be exchanged for an access token at the api server.
  • Access Token: A string that identifies a user, usually comes with an expiry period.
  • Consumer Key or APP_ID: a public key used by auth server to identify your application.
  • Consumer Secret or APP_SECRET: a private key which should be kept confidential.

The below terms have nothing to do with OAuth but are used with OAuth to make it more secure.

  • Timestamp: a string that tells date and time.
  • Nonce: a number or string which can be used only once.

enter image description here
source: http://smerity.com/

I will explain the diagram with Facebook login as an example.

Background; consider you have done the below, before explaining the diagram:

  1. You register an app with Facebook developers portal.
  2. Facebook provides you two codes, 1) a secret_key and 2) an app_id
  3. You designed a button which says Login with Facebook.

Now the diagram:

  1. Client requests the API server.
  2. API server redirects to login page saying. To access the data: please login with facebook to access the page
  3. User clicks on the login with Facbook button, a new popup OAuth dialog opens. asking for facebook username and password.
  4. User enters his username and password, then allow access to your app. auth server redirects the user to your website with a code as parameter in URL.
  5. API Server is called on the step 4, API server captures code from URL.
  6. API server call auth server with the provided client_secret
  7. Auth server returns to the access token for the user to the API Server.
  8. API server asks auth server for user information for the given access token.
  9. Auth Server returns details about user, profile pic, email etc.
  10. API server identifies the user, sends him the response along with access token.
  11. client sends the access token to the api server on next request.
  12. API server checks if access token is valid and respond.
  13. When access token is expired, client is asked to login again.

Now, How does this secure your api?

Make the portions which need security as login required to access them. if the client who makes the request is not logged in to your api, send him to step 2 of the diagram.

So what is nonce? timestamp?

If someone steal an access token, he can get access to API server as long as the access token expires. So when the user requests a page, server sends him back a nonce which is stored in the server. the client signs the request with the recieved nonce and complete the request. as the nonce is only used once, server deletes the nonce. when an attacker grabs the nonce, and make a fake request to the server,server rejects the request as the one time number is invalid as its used already.

TimeStamp is used identify the time the token or nonce is created which is used to expire the token or nonce in a limited time frame (1-2seconds), the time needed for a request to complete.

Share:
35,943
Sanjay Salunkhe
Author by

Sanjay Salunkhe

Updated on July 09, 2022

Comments

  • Sanjay Salunkhe
    Sanjay Salunkhe almost 2 years

    I have mobile application REST API calls which hits to my server without any token or security mechanisam.

    I want to secure my API calls. I am trying to understand what is OAuth and how it will secure my mobile app REST API calls which are hitting to my server?

    Also I want to know in details about the below fields which are used in OAuth . From where I will get below fields.

    Consumer Key
Consumer Secret
Token
Token Secret
Timestamp
Nonce
  • buydadip
    buydadip over 5 years
    I have one question about this approach, in terms of security. If the code from Facebook is sent to the URL as a parameter, can't some malicious code capture that and use that to authenticate themselves as someone else?
  • All Іѕ Vаиітy
    All Іѕ Vаиітy over 5 years
    @Bolboa Any one who can access network packages and logs can capture the code, so use HTTPS. Since the code is generated for a specific user for a specific app (our app), the code can't be used to authenticate any other user to any other app, this is where the secret App Credentials are used. Facebook internals ;)
  • Gem
    Gem over 5 years
    @AllІѕVаиітy Is possible can i use REST API without oAuth?
  • The Coder
    The Coder over 5 years
    @AllІѕVаиітy if I am having a REST API which will be consumed only by my frontend clients(browser and mobile), and no third party apps involved. Is the OAuth2.0 the right tool? I know From and Basic authentication is there. But is Social login the only use case of OAuth2.0?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

restful api authentication confusion with oauth2
OAuth Refresh Token Best Practice
What's the purpose of the client secret in OAuth2?
Prevent untrusted clients to use login/register endpoints of REST API
How to OAuth 2.0 with Retrofit Android
How to authenticate restful web service using oAuth
Yii2 Rest API Bearer Authentication
How should I store a token generated by a RESTful API?
RESTful Api authentication for an android app
How to call a REST API using Azure Data Factory Pipelines?