A lot of confusion exists when we hear about OAuth protocol, I wanted to summarise the how's and what associated with OAuth and hopefully help someone in the process of learning or understanding.
Yeh I will make sure to structure my writing so that its easy to read and understand (Yeah I know, sounds like a developer talking about his codebase :-p )
So, What is OAuth? It is Just an Authentication protocol that would allow someone/some service to access restricted resources. Depending on the OAuth Flow we can generally categorise it to
3-Legged (I think this is the most common flow) Basically there would be a resource server (what we are trying to access), a resource owner(the actual user trying to access the resource), an Authentication Server (the server that handles the Authentication request) and the Client(This is the OAuth Client with which the user tries to interact the resource).
Does it ring a bell? Can you recall when you created an Application and then wanted to access google calendar via you app? That was a 3-Legged OAuth Flow... Now you Know !!!!
2-Legged Removing the Resource owner(or the third leg) from the OAuth Flow makes it a 2-legged OAuth.
Maybe imagine a services that wants access to a resource (within an Internal network?) (Source:IBM)
Another Buzz Word: Sign-In with (Google/FaceBook/Twitter/....) Is this OAuth?? Well Technically yes.. but there is more to it..
Welcome to OIDC
What is that you say? It's Open ID Connect which is built on top of OAuth.
What happens when we have an application that signs in with any external provider(That supports OAuth and OIDC). Have you noticed that the application redirects back to your app? Also have you noticed that the URL contains some huge string?
If you did... Wow your Awesome!!!! If not ...... your still Awesome!!! because you are learning it now :-p
So what it does is that it gives us an Identity Token that would contain claims (Key-Value Pair) which would help us Identify who the user is.. Imagine the Identity Token as an ID card (a digital version but more secure since its digitally signed).
BTW the huge string that we get once the provider redirects back to your app is the Authorisation code, which is then exchanged with the Identity Token.
Remember: The Scopes that you define would play a huge part of what you get.
Have fun learning!!!! :-p
And One More Thing :-p We have been working on an open source project to easily integrate third party login provider to a .net core application without much complexities.
Feel Free to Check it out: github.com/benjohn88/SimpleOAuth
Better yet, Show Some love and Raise a PR!!!