Introduction to OAuth 2.0
During Q3 our team get a quiet challenging business requirement. There will be 3rd Party that want to implement “Login with StartDee” (Startdee is Ruangguru in Thailand) in their service. This means that we are required to share user information (name, email etc) to 3rd Party. The biggest question would be how to do this securely?
To avoid reinventing the wheel with our limited knowledge regarding security, we search for reference. After exploration, we found this RFC that explain in detail about OAuth 2.0 and why we need it to secure our collaboration with 3rd party. The problem is this RFC is too detailed does make it hard to understand. In this article I would like to simplify the RFC and explain what OAuth 2.0 is.
Authentication VS Authorization
Before we move further, I would like to clarify that Authentication is different with Authorization. This clarification is important for you to understand the scope of problem that OAuth 2.0 trying to solve.
Authentication is a about proving to me that you really are user X. To do so, you can give me:
- Something that you know: password, PIN etc
- Something you have: credit card to prove bank account ownership, OTP to prove phone number ownership etc
- Something you are: fingerprint, face ID etc
Authorization is about proving to me that you have access to resource A. Usually, authorization require authentication first because the most basic logic for authorization is:
User X has access to resource A. Prove me that you really are user X then I can grant you access to resource A.
But it will be very bad user experience if each time user need to hit BE endpoint, user need to input password to prove that he really is user X. To avoid this inconvenience, we usually issue an access token once user successfully proving who he is. Then for later interaction, we just need to validate the access token provided in each request.
What does OAuth 2.0 actually is?
OAuth 2.0 is just a standard on how to share resource publicly in secure manner
OAuth 2.0 is not library nor a service provided by certain company. It is just standard that you need to implement if you want to securely authorize 3rd party to access your private resource. In our case, the private resource is user information but the definition of private resource can be anything ex: endpoints to upload image, access to certain dashboard etc.
Please take note that OAuth 2.0 is solving authorization problem not authentication problem. Meaning that we can expect that the end result of this standard is an access token that 3rd party can use to access our private resource.
How to implement OAuth 2.0?
I will not explain the flow of OAuth 2.0 in detail, but I will explain about how OAuth 2.0 secure our public API:
- User input username/password in RG Service
As you can see in the illustration above, RG Service provide login page that 3rd party can access and display to user. This will make username/password is given by user directly to RG Service and not using 3rd party as proxy. - Successful login MUST send authorization code only to registered redirect URI
After confirming username/password, RG Service will hit redirect URI registered in DB. This means that 3rd party need to register redirect URI to RG Service which prevent authorization code to be sent into unauthorized URI.
Take notes that authorization code is short-lived and only can be used once. - Endpoint to exchange authorization code to access token require client_secret
client_secret here serve function like a password for 3rd party. RG service need to prove that the one that making the request is really registered 3rd party. By using client_id and client_secret pair, RG user can confirm that it really is registered 3rd party that make the request to exchange authorization code into access token.
Fortunately to implement OAuth 2.0 server there are already a lot of library that you can use in various programming language. Since Ruangguru mostly use Golang, here several recommendation library you can use:
What’s next? OpenID?
OAuth 2.0 and OpenID is actually quiet similar that people might use the term interchangeably. But actually, both standard solve different problem. If OAuth 2.0 is solving authorization problem, OpenID extend OAuth 2.0 to solve authentication problem.
OpenID is standard on how you send user identity to 3rd party
If you look at the endpoint to exchange authorization code into access token, the difference will be, for OpenID there will be additional response field called id_token ID Token is JWT token that contain user and issuer identity. For further reference you can read this RFC.
