Api management

OAuth 2.0: API authentication, security and usability

We are experiencing the apogee of API usage in companies. And even though they are a significant technological and economic advance, adequate security, authentication and usability via quality strategies and standards is paramount in their implementation.

OAuth 2.0: explanation, basic concepts and characteristics

For some years now, companies have started incorporating API Management platforms into their modern software architectures, which makes it necessary to secularize APIs.

The challenge of this strategy is to find the perfect balance between user safety and usability. And in this regard, standards play a significant role due to their importance in providing adequate information and access to authorized users.

The Oauth2 standard offers relevant aspects such as API consumer authentication, their request for authorization to perform specific actions and the availability of tools that identify the parties involved in the workflow.

OAuth 2.0 is the authorization framework standard that aims to address those needs, providing applications limited access to user information without the needs to provide their credentials, loosening the grip on authentication as a result. 

This means that it supports various business scenarios based on the type of user that accesses data exposed by the API: browser, specific device, mobile apps and servers, among others. And the obtainment of that access requires undergoing an authentication process (token access) that will enable accessibility, or otherwise.

So, what is OAuth 2.0? It is a framework that facilitates the delegation of client authentication, verifying the client’s access to the APIs. Therefore, it is not an authentication protocol, but rather the provision of an access token to be able to access a specific resource.

And, in this regard, OAuth does not access or handle the user’s information – it has no knowledge of it, guaranteeing, in this way, that the data will remain safe

In order to know the flows and applications of this standard, one should understand the different concepts involved throughout its implementation, which are:

  • Owner. This is the entity/person in charge of granting access to a specific protected resource. 
  • Resource server. This is the tool that hosts protected resources, which grants or denies access.
  • Client. This is the application that requests access to a protected resource on behalf of its owner and with the owner’s authorization.
  • Authorization server. This is the server in charge of providing the access token to the client after authenticating the owner and obtaining authorization.
  • Tokens. Access tokens are the credentials that authorize access to the protected resource. They are composed of a duration and specific access scope. 
  • Refresh token. This is a credential used to obtain the access token. The process consists of the following: the authorization server sends authorization tokens, which are received by the client and used to generate a new access token when the previous one is no longer valid.
  • Scope. This is the requested level of access, since based on internal policies, the server may ignore the requested scope. 
  • Scopes. This refers to the identifiers that determine to which resource access is being requested in the application and which resource the user is authorized to access.

OAuth flows refer to the way in which the application acquires an access token to access information exposed by an API, and their purpose is to address different business scenarios that usually take place during the implementation of APIs. They involve 3 variables: type of application, degree of trust and user interaction in the process.

Differences between OAuth 2.0 and JWT

It is important to mention that both cannot be comparable or even exclusive because they have different goals related to the data security and protection process.

JWT is an authentication protocol that offers certain operations to issue and validate access tokens in JSON format, and its signed method ranges from HMAC algorithms to RSA keys. 

OAuth, as we previously mentioned, is the framework in charge of granting access to resources from several applications. 

OAuth and the importance of security

The most important and valuable when it comes to the use and consumption of APIs is always security. And OAuth has become the benchmark of security through the granting of authorization to access valuable data.

Depending on each specific case, one must opt for one or another flow in order to maximize the level of protection and avoid security problems. It is therefore important to know OAuth in-depth. 

Do you want to maximize your knowledge on OAuth 2.0 and other resource authorization technologies? Contact us and discover state-of-the-art tools to protect your business.