ON August 6, 2019

Understanding OAuth 2.0 Directly from the IETF RFC 6749 Specification


Authentication and Authorization are two big concepts that are required for almost every application.

Authentication deals with verifying who the current user is and whether or not that user is currently present. For example, when Bob Smith logs into an application (i.e. Facebook), the application needs to know that the user is "Bob Smith" in order to show Bob his personal content that only he should see. The app also needs to verify that Bob actually is present and that the person trying to access the account within the app is not someone or something else trying to get his information. (More info on OAuth.net)

Authorization deals with whether or not an application can access a particular piece of a user's online belongings, called "Resources", such as information, pictures, videos, and documents. For example, say you download a voice recording app on your iphone and the app wants to push your recording to your Dropbox or Google Drive. Or maybe it wants to post to your Facebook timeline. The app needs permission to access those other resources that you own on other applications. (More info on OAuth.net)

OAuth 2.0 is a specification that specifies how to perform the latter Authorization process so that developers can learn one way of doing Authorization and apply it to all their applications. Before OAuth 2.0 if a developer wanted to program the application to access a 3rd party system, like Google Drive, Dropbox, or Facebook, the developer might have to learn three different ways of interacting with those other applications, which adds unnecessary complexity and ultimately unnecessary cost to their product.

Many services like Auth0, Okta, and IdentityServer have sprung up that help a developer more easily implement OAuth 2.0 (along with the current most popular associated Authentication protocol OpenID) without having to dig deep into learning the actual Authentication and Authorization protocols themselves.

In order to implement those helpful near plug-and-play services, however, a developer still needs to learn the basics of the protocol so as to properly configure the service. And because of the strange history in the uprise of these types of protocols, there can be some conflicting information about how to properly implement the protocol. That's when its time to head to the source documentation.

The IETF RFC 6749 "The OAuth 2.0 Authorization Framework" is the source document that defines the OAuth 2.0 protocol. It is the source of truth.

Unfortunately, RFC's are difficult to understand because they are purely technical, and sometimes very abstract documents. When I started reading the RFC for the OAuth 2.0 specification, I was very confused because I didn't fully understand the definitions and diagrams. It took a while for me to really hone in on some confusing concepts. Once I was able to build my own mental model for those concepts, I was able to actually read and understand the document.

In the video series below, I walk through parts of the RFC and explain it from my own understanding while pointing out the areas where I was really confused. My goal with making these videos is to try and make it a little easier for someone to overcome the steep learning curve of reading this highly technical document that defines the OAuth 2.0 protocol.

Las Vegas, NV
United States
Toll Free: (800) 661-5653
Local: 702-985-4142
© Copyright 2017 - Dedicated Managers, Inc. - All Rights Reserved
envelope-omap-markerphoneat linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram