What does OAUTH 2.0 mean for you?

June 5, 2018

Article written by Andrew Brandt, Technical Architect, Bluewolf, an IBM Company

When relating the digital world to its physical counterpart, the story and meaning can provide a great breath of clarification and understanding to a non-technically minded individual.  In this blog, we work to provide a great example of how the digital world can cross the physical world, potentially giving a new meaning of importantance or understanding to the audience.

OAUTH is authorization, not authentication, used in the digital world to allow access between systems. It should be clear that OAUTH itself is not the function of verifying usernames and passwords, but an action of providing delegated access after verification is complete. And OAUTH 2.0 is the focus on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

 

OAUTHNow to the story: 

Jim is looking for a place to stay in the Ozarks. He finds a condo available for weekly rent and calls the owner. After reviewing the schedule, the owner finds the condo will be available over Independence Day from 7/1 to 7/8, and sets up a reservation for Jim. She then gives Jim the address to the welcome center so he can check in when he arrives.

When Jim arrives in the Ozarks, he stops by the welcome center. The clerk asks for his ID and a credit card. Once identifying Jim’s information matches the reservation request, the clerk provides Jim with a key to the property. The clerk explains that Jim can access his room or make purchases with his key during his stay. Jim finds his key is an RFID key, much like a hotel.

Jim can now use the key to access the condo, pool, bar, and fitness center until 7/8. After that time his key will become invalid and no longer provide access. The first night, Jim accesses the bar and purchases a drink, using his room key for payment.  

On July 4th Jim has a party. The next day he finds he is unable to access the condo, he must return to the welcome center to find his key was turned off due the party not being authorized.  After some continued discussion, the clerk provides Jim with a new key to continue his vacation.  Upon checkout, Jim finds the drinks he purchased the first night are charged to his credit card. 

Now let’s translate this story to an OAUTH flow:

Jim is the client, just as he would be in the business world.  The homeowner is the resource owner. The client requests the resource owner grant access to the location.

The welcome center clerk is acting as the authorization server, verifying that Jim is who he says he is and passing a key, much like OAUTH passes a token, to the client.  The token is then used to grant access without passing important information.

The key (OAUTH token) can be used to access all areas in the complex (resource server) the owner (resource owner) has access to enter.  The length of time a token is active set by the authorization server, in the case of our story 7/8.  However, the token can be revoked at any time; much like Jim’s access was turned off after the party.  By using a key (token), Jim’s credit card information (passwords) are always kept secret from the pool bar (resource server).

Bluewolf strives at making the difficult seem easy, the complicated understandable, and the impossible plausible.  We hope you’ve found this example compelling of how we use relatable storytelling to make a difference, and continue to work to enhance marketplace standards. 

OAUTH 1

 

See More