By: Nihad Hassan
September 10, 2021
Everything You Need To Know About OAuth 2.0
By: Nihad Hassan
September 10, 2021
Digital technologies have become integrated into all aspects of society; nowadays, people have become more dependent on technology than ever to conduct most of their daily tasks. According to dashlane, the average American internet user has 150 online accounts which require a password to secure them. This statistic was conducted in 2017; in 2022, the same study predicted the number would rise to reach 300 online accounts per user!
Digital authentication is the electronic mechanism used to protect the ever-increasing number of online user's accounts and approve someone's identity against the authentication systems (information system). The authenticated entity does not need to be a person. For instance, it can be another system or application.
There are various methods of digital authentication; the following list the main ones:
- Two or Multi-factor authentication
- Biometric authentication
- Security tokens
- Device recognition
Casual internet users will have many online accounts, such as social media, blogs, forums, digital libraries, and other mobile applications that need registration to work. However, registering for an account for each service may not be feasible. So here comes the idea of developing a type of protocol that can use the sign-on credential of one online service to grant access to other protected resources that existed in different websites and applications without revealing the original credentials used to access the principal service.
This article will shed light on the OAuth authorization framework and describe how it works; however, before we begin, let us differentiate between the two terms that most people still use interchangeably: Authentication and Authorization.
Note! OAuth has two standards, the old legacy one named OAuth 1.0 and the modern version called OAuth 2.0. Version one is old and no longer used widely, so I use OAuth to refer to version Two exclusively during this article.
What is the difference between authentication and authorization?
Authentication comes first. It validates whether users are who they claim to be. Next, authorization grants access to protected resources based on user identity. An example of authentication is when a user provides the cloud account credentials to access the cloud service. If the user supplies the correct credentials, the next step is authorization, which specifies the resources users can access(e.g., which cloud application or files a user can access and which cannot).
What is OAuth?
OAuth is an open-standard authorization framework; it allows a user to use the credentials of one online service to access other websites/services without exposing its password to these websites. For example, you can use your Facebook credentials to access medium.com; the Medium website will grant you access to its platform without knowing your Facebook password (see Figure 1).
In the same way, you can use OAuth to tell Twitter.com that it is OK for CNN.com to post to your Twitter timeline without giving the CNN website your Twitter account credentials.
The OAuth authorization framework is commonly utilized by giant IT enterprises such as Facebook, Twitter, Microsoft, and Google to share partial information (e.g., name, email address) about their users' accounts (upon user request) without revealing the password or even knowing the owner of the account. Using it lets users specify the type of data they want to share with other websites/applications. For example, a third-party service named MailTrack can access the following information in a particular user's Google account (see Figure 2).
Although OAuth was developed originally for authentication, however, many websites already utilize it for this purpose. For example, when a website allows you to log in using your Facebook account, then there is a high probability it is using this technology to achieve this functionality.
Utilizing it gains a direct security advantage. For instance, in our CNN example, if CNN.com suffered from a data breach, users' accounts credentials will not be affected because CNN does not know or store your Twitter account password locally.
How does OAuth work?
It works only over HTTP protocol by issuing a security token by the authorization server to a third-party client after asking the permission of the resources owner (hence, the user). Upon granting access, the third-party client will use the access token to access the protected resources.
Under this scenario, a typical authorization process commonly involves the following parties:
Resources server – the server which contains the end-user protected resources – in our previous example of CNN, it is the Twitter service.
Client, this is the application or website asking permission to access protected resources on behave of the end-user. According to our CNN example, it is the CNN website.
Authorization server. It is the service providing the OAuth functionality. It authenticates the end-user (resources owner) and issues the security token to the third party after getting the required approval (authorization). There are many large OAuth service providers; the most common ones are Auth0, Amazon, Apple, AOL, LinkedIn, Facebook, and Google.
Common OAuth vulnerabilities
As we saw, It provides a convenient way for internet users to share their sensitive information with other third-party providers without exposing it. However, like any other technology, it suffers from some security vulnerabilities, as we will see next.
When using OAuth to access protected resources on third-party websites, user's sensitive information must be exchanged between different servers online and with the user's web browser. Anything that moves online becomes subject to various cyberattacks.
A security vulnerability can exist in the client application (client implementation to the OAuth technology).
Some providers may suffer from security vulnerabilities that expose user's access tokens to malicious actors. This will compromise the system and will allow unauthorized access to user's protected resources.
Some OAuth providers may suffer from a data breach. This makes all user accounts connected with the breached provider subject to compromise.
I'm sure while you are surfing online, you have come across a website that allows you to register or log in using one of your favored social media account – such as Facebook or Twitter. Of course, whenever you find such a website, you are most likely using the OAuth technology.
It provides an easy way for internet users to share their login credentials with different untrusted third parties. OAuth enhances internet security as the user does not need to create a separate login for each online service; this effectively lowers the impact of data breaches on users' accounts as their credentials are not stored on the third-party services providers. Instead, it is stored on the OAuth provider, which tends to be a large enterprise with robust security controls.
OAuth 2.0 authentication vulnerabilities: https://portswigger.net/web-security/oauth Accessed: 2021/08/26
OAuth official website: https://oauth.net