OAuth : How It Works

Abdul Azeez
3 min readNov 27, 2024

--

Many of us use the OAuth framework for enterprise application authorization and OpenID Connect (OIDC) for authentication. It’s often straightforward to configure for any application, even without fully understanding its concept or definition. This article aims to break down the basics of OAuth for better comprehension.

A Use Case Example

Imagine You are creating a Single Page Web Application that consumes logged in user emails and calendars (egs : from Outlook) and presenting to user by integrating Artificial logic and provide ouput like — How many Productive meetings in last year, how many emails are not responded on time etc.

Who all the players involved here — Web Application that consumes data (email & meeting) from Outlook API of Logged In User after successful authentication against Microsoft Identity Provider.

Cool, But Are we authenticating the Web Application or the Outlook API? We know Web Application here is nothing, but JavaScript code initiating Outlook API call and it cannot perform any meaningful actions without getting data from Outlook API. So In most of the cases we don’t need to authenticate Client Application (Web Application), instead we need to authenticate API. But How to authenticate API as it does not have any UI to validate user credentials, and it meant API need authorization instead of authentication. OR in another word — Even though authentication process might happen in Web Application, but its purpose is to authorize API calls to Outlook on behalf of the user.

Role of Tokens in OAuth

User are authenticated to access Web Application, but How Web Application transfers authentication statues to API and that’s the exact use of Tokens in OAuth.

Another scenario is — what if the user decides to grant access only to their emails and not their calendar to display in Web Application? This is where authorization comes into play. Tokens also store the user’s consent state (or authorization state) and ensure the Web Application adheres to the permissions granted by the user.

OAuth & OIDC

  • OIDC (OpenID Connect): Primarily handles authentication (verifying who the user is).
  • OAuth: Handles authorization (granting permission to access specific resources).

In Above example User need to authenticate to login Web Application against Microsoft Identity Provider, and then it will prompt to provide consent to access API service and Authorization token will be passed to API server to access any protected resources.

Pillars in OAuth

  1. Authorization Server: It plays major role in OAuth framework and primary responsibility is authenticate User and issuing authorize tokens. Apart from that Identity Provider responsible for Multifactor Authentication (MFA), Single Sign On (SSO), and Conditional access etc. In above example Microsoft Identity Provider (Or Azure Entra) plays the role of Identity Provider.
  2. Recourse Server: Here we host protected APIs and which require proper authorization and authentication to access any resources. In above example Outlook API plays the role of protected resource hosted in Microsoft server.
  3. Client Application: Any client application which access protected resources on behalf of Resource Owner. Example: The Web Application is the client application.
  4. Resource Owner: Any user who registered in Authorization Server Example: The logged-in user.

Her we explain, OAuth fundamentals and I hope it opens rooms for further exploration. Happy Reading!

--

--

Abdul Azeez
Abdul Azeez

No responses yet