11 OAuth 2

 

This chapter covers

  • Registering an OAuth client
  • Requesting authorization to protected resources
  • Granting authorization without exposing authentication credentials
  • Accessing protected resources

OAuth 2 is an industry standard authorization protocol defined by the IETF. This protocol, which I refer to as just OAuth, enables users to authorize third-party access to protected resources. Most importantly, it allows users do this without exposing their authentication credentials to third parties. In this chapter, I explain the OAuth protocol, walking through it with Alice, Bob, and Charlie. Eve and Mallory both make an appearance as well. I also show you how to implement this protocol with two great tools, Django OAuth Toolkit and requests-oauthlib.

You have probably already used OAuth. Have you ever visited a website such as medium.com, where you could “Sign in with Google” or “Log in with Twitter?” This feature, known as social login, is designed to simplify account creation. Instead of pestering you for your personal information, these sites ask you for permission to retrieve your personal information from a social media site. Beneath the hood, this is often implemented with OAuth.

Before we dive into this subject, I’m going to use an example to establish some vocabulary terms. These terms are defined by the OAuth specification; they appear repeatedly throughout this chapter. When you go to medium.com and Sign in with Google

11.1 Grant types

11.1.1 Authorization code flow

11.2 Bob authorizes Charlie

11.2.1 Requesting authorization

11.2.2 Granting authorization

11.2.3 Token exchange

11.2.4 Accessing protected resources

11.3 Django OAuth Toolkit

11.3.1 Authorization server responsibilities

11.3.2 Resource server responsibilities