What is OAuth?

OAuth is an open standard authorization protocol. It enables your account information to be obtained by third-party services.

Without exposing user credentials, OAuth provides an access token and a refresh token for third-party services. The Access Token can be used to retrieve resources from the resource server and it is short-lived. The Refresh Token can be used to get a new Access Token when needed and it is long-lived.

OAuth Workflow

OAuth has many different workflows like Authorization Code flow, Client Credentials flow (Machine to Machine), Resource Owner Password flow and etc.

Today, we are going to discuss the Authorization Code flow:

1. User clicks Login with Google (let’s say we are using Google for OAuth) on your website

2. Your website will be redirected to Google Authorization Page

3. User clicks Authorize button on the page and grants the permission to you

4. Google returns an authorization code to your website

5. Your website now can exchange tokens with Google by using the Client ID, Client Secret, and Authorization Code

6. Google will validate the Client ID, Client Secret, and Authorization Code

7. If everything goes well, Google will return an AccessToken and a RefreshToken to your website

8. Now, you can use the AccessToken to request resources from Google’s services and refresh your AccessToken by using RefreshToken if needed

Last time, we discussed the JWT token and JWT use case. Authorization and Authentication is one of the use cases. JWT can be used as AccessToken on the OAuth use case.

Understand more about JWT: What is JWT?