Editor’s note: This interview with Matthias Biehl was recorded for Coding Over Cocktails - a podcast by Toro Cloud.
According to the OAuth website, "OAuth is the industry-standard protocol for authorisation", which focuses on simplicity while providing specific authorisation flows for web applications, desktop applications, mobile phones, and living room devices.
Because of the simplicity and level of security it offers, it has emerged as the de facto standard protocol for securely protecting Web-APIs.
However, according to Matthias Biehl, author of "Oauth 2.0: Getting Started in Web-api Security" a lot of developers are still intimidated by the protocol.
"[OAuth] requires a lot of different players, and a very dedicated way of interacting between those players." Biehl says during an interview on Coding Over Cocktails, a podcast by Toro Cloud.
He further states that the intimidation can often stem from the fact that there are multiple channels that need to be authenticated: typically a UI-based interaction, as well as a back channel for API-based interaction.
This can add to the misconception that OAuth can be quite complicated to implement.
"It’s not." Biehl replies
"Maybe you need to get your head around it once, but I would say: don't be afraid of the OAuth beast. It's actually quite a good and well thought-out, practically proven protocol that we should all use more in our implementations on APIs." he adds.
In order to have a better understanding of OAuth and its flows, Biehl advises developers to look at several resources around it, including this OAuth Cheat Sheet he developed at API University.
"Nowadays, I think there are excellent libraries that you can use as a programmer that gets you around a lot of these difficult parts, and it already incorporates all the best practices. So, instead trying to code the protocol yourself from the start, use something that's already out there."
The key to understanding OAuth is… literally a "key".
Instead of providing passwords, OAuth provides users an "access token" in order to grant them access to websites or applications.
Biehl explains that OAuth works like checking-in to a hotel with keycard access.
"When you check into a hotel, you don't get handed out the master key to all the rooms, right? That is kept secret and only a few people can hold that. But when you check into a hotel, you get a key card that's programmable, and that gives you access to the front door, to your own room and not to any other room in the big house. It also gives you access only for a specific time period, right? And afterwards, I mean, maybe you would leave it in your pocket. You come back a year later, it won't work because it is bound – and that's basically what OAuth brought." Matthias illustrates.
The OAuth 2.0 Authorisation Framework also supports several ways to retrieve these access tokens via "flows".
While there are several flows that can be used depending on the use case, the main one is called the "Authorisation Code Flow".
"What you do in an authorization code flow, is number one: the client requests an authorisation code on the authorization endpoint; then, there you have the end user in the loop. The end user usually authenticates by logging in with biometrics, with a password so forth."
"Then as an outcome of that, the client, the app receives a so-called authorisation code on the redirect endpoint. And with this intermediate code, it can then request an OAuth access token using a back channel – using an API called directly on the OAuth server. Now, when this comes back, the access token has to be validated and then it can be used in order to access those resources." he explains.
OAuth for Microservices
Now that we’ve established how OAuth is mostly utilised for public-facing APIs, can we also use the protocol for east-west configurations, such as between microservices?
"Definitely... but you need to tweak it a little bit differently depending on how you want to use it." Biehl says.
"If you have this East-West type of interaction, then you typically want to have a distributed architecture. You don't want to have any central points, any bottlenecks in your architecture, and you should not really have a reference token because a reference token can only be decoded basically in one point in the whole architecture."
In addition, he explains the concept of a "value token" that’s used for this specific case.
"You can decode this [value] token and see what are the access rights, who is the user and in a very decentralised way, each microservice can decode it and work with that token. And then of course, you can bring both of these patterns basically together, where you have a north-southbound interaction to the outside world, you translate to, say, the reference token that you give out to a value token, that you can then use inside in your microservice architecture." Biehl adds.
Learn more about OAuth with Biehl in this episode of Coding Over Cocktails - a podcast by Toro Cloud.
Coding Over Cocktails is a podcast created by Toro Cloud, a company that offers a low-code, API centric platform for application development & integration.
This podcast series tackles issues faced by enterprises as they manage the process of digital transformation, application integration, low-code application development, data management, and business process automation. It’s available for streaming in most major podcast platforms, including Spotify, Apple, Google Podcasts, SoundCloud, and Stitcher.