OAuth 2.0 Explained by Visiting Grandma
After my last post, I realized that it might be kind of hard to understand if you didn’t already have a basic understanding of authentication online. To that end, I came up with a different way to try to explain how OAuth 2.0 works, by using my Grandmother as an example.
Lets say I am going on a trip to visit Grandma, when I get to her house I would like to have access to it so that I can see her and talk with her a while, but I don’t have a key! In order for me to get into Grandma’s house I need to ask for permission, this is where OAuth2 comes in.
In this case I ring the doorbell and wait for Grandma to ask “Who is it?” I respond, “Your Grandson Christopher” to which she replies “I’m coming!” This is similar to the way that OAuth2 works, when I (The application) try to access data (Grandma’s house) I first have to ask permission from the user (Grandma). Here Grandma acknowledges that she will let me in and lets me know that she is on the way just like the OAuth2 sever returning me a code. The application can use this code to complete activation.
When Grandma gets to the door she can tell it is me by looking through the peep-hole in the door. In OAuth2, this is where I would send my secret key and the code the server gave me to the server so that it can verify who I am. In Grandma’s case all she has to do is look out the window or door!
Once Grandma has confirmed my identity she lets me into the house just like in OAuth2, once the server has confirmed who I am it passes me a bearer token which I (the application) can use to access secured items on behalf of the user.
If you want to learn more about OAuth, I listed several resources in my previous post which details more of the technical side of how OAuth2 works.