How OAuth Boosts API Security and Access Management Posted in Security Subho Halder January 12, 2021 App development on Android, iOS, macOS, Windows 10, and Linux has accelerated rapidly in the past few years with the help of standardized APIs (Application Programming Interfaces). However, with the increasing reliance on APIs, securing the communication and information exchange has become a priority. OAuth authentication has been instrumental in securely transmitting information between users and servers and between two platforms. Over the past few years, OAuth has become highly influential due to its quick and wide adoption across multiple sectors. Created and supported by tech titans such as Google, Twitter, and several other leading companies, OAuth underwent substantial evolution from OAuth 1.0 to OAuth 2.0. With even more capabilities and secured pathways or protocols, OAuth 2.0 has become the favorite of multiple platforms, including Instagram, LinkedIn, Microsoft, Netflix, PayPal, and others. What Is OAuth Authentication Standard? OAuth stands for an Open-standard Authorization protocol or framework. It is essentially a set of rules and standards that governs how unrelated servers and services can safely allow authenticated access to their assets. The exchange of information can take place without actually sharing the initial, related, single login credential. In authentication parlance, this is known as secure, third-party, user-agent, delegated authorization. Typically, a registered third-party client application uses specific API calls to retrieve or request a particular access token for accessing OAuth protected resources. Over and above OAuth, additional security layers, such as OpenID Connect, implement a single sign-on protocol on top of the OAuth authorization process. However, this article restricts itself to discussing the OAuth standard. OAuth: Authentication vs. Authorization OAuth was initially designed to provide a secure authorization mechanism for websites. The set of protocols defines a standard procedure for end-users to grant third-party website access to their private resources stored on a service provider. This was the primary intention behind the first version, OAuth 1.0. However, given its simplicity and efficiency, the mechanism was rapidly adopted by many websites and platforms. Major companies realized the potential benefits of OAuth went beyond mere authorization and repurposed the same for authentication as well. While authorization and authentication might appear similar to each other, there are a few fundamental differences, and the latter is more direly needed by most modern-day websites. Similarly, OAuth can offer quite a few security-related services, and authorization is just the core one. However, it is also fundamental to a number of different things and can even be used on its own to great effect. While in its early iteration, OAuth served its purpose well for authorization, websites quickly learned to use the platform to do a lot more, and authentication is one of them. After the repurpose, the OAuth protocol can now enable a user to prove his/her identity to a relying party, utilizing his/her existing session with the service provider. It is safe to say that the web industry has decisively moved towards adopting OAuth for authentication. The fundamental difference between OAuth Authorization and OAuth Authentication is what defines OAuth 1.0 and OAuth 2.0. Moreover, neither OAuth 1.0 nor OAuth 2.0 documentation is explicitly geared for authentication. Still, OAuth is now a de-facto authentication and authorization protocol. Understanding OAuth 1.0 and OAuth 2.0 The initial OAuth 1.0 was quite versatile and effective. However, it was primarily designed for traditional web technology and not for mobile platforms. This mandated the evolution of the protocols and procedures to accommodate and secure mobile applications or apps. Moreover, with Android smartphones growing exponentially, the data exchanged across millions of mobile apps and devices needed an even more powerful and reliable authentication protocol. OAuth 2.0 successfully offers the same. Before OAuth was launched, there was OpenID for third-party user authentication. However, OpenID had its own set of limitations, which OAuth 1.0 was designed to address. OAuth 2.0 takes the matter of secure authentication much further. Because it extends far beyond being a “protocol,” OAuth 2.0 is called an authorization “framework.” The OAuth 2.0 framework offers user authentication delegation in the form of an access token. Any application that uses OAuth 2.0 can use this token system. The way this works is the access token is presented to the API. The server that receives the token knows how to validate it and ensure it is active. From the application’s perspective, it is an opaque string. Here’s a basic difference between OAuth 1.0 and OAuth 2.0: OAuth 2.0 and API Security The common starting point for any organization is using API keys for bolstering security. They are usually easier to implement but have limited options for permissions. OAuth 2.0 has the most advanced approach toward granting access. Under the OAuth 2.0 protocol, the application requests authorization access from the resource owner. Implementation of OAuth 2.0 for API security starts with registering the application with the service and requesting API keys. Developers usually register very basic information such as application name, a website, logo, etc. In addition, creators must also register a redirect URI used to redirect users through secure pathways. The first step of OAuth 2.0 is to get authorization from the user. This could be in the form of an authorization code or password. How Does OAuth 2.0 Help API Security? With the rising use of APIs, especially in mobile apps, they are increasingly proving to be a significant vulnerability point. APIs are often designed internally to fulfill small functions, and hence they often evade public security and compliance teams. OAuth 2.0 is specifically designed as a more advanced and refined approach for granting access. With tokens created and granted by OAuth 2.0, there’s advanced security such as a scoping function that lets developers establish fine-grained permissions for applications. However, the most desired attribute is the time-restricted availability of the tokens. As these tokens expire, they cannot be reused. As mentioned previously, OAuth is designed as a framework instead of a protocol. A protocol describes how data is structured and communicated. It also governs how endpoints behave and interact. Meanwhile, a framework acts as a general operating agreement. This can be expanded to serve multiple purposes. Through these expansions or extensions, OAuth 2.0 offers: JSON Web Tokens (JWT): JWT can be used to define payloads for passing data between systems with built-in expiration mechanisms and signatures for validation. OpenID Connect: This allows the standardization of those tokens for sharing user profile information. Endpoints: These introspect and revoke those tokens. A platform can essentially detect if a token has been modified and restrict an application’s access immediately. The Device Grant Type: This extends OAuth to devices with limited input possibilities such as Android Smart TVs, IoT, etc. The Authorization Code Flow+PKCE Grant Type: These are specifically intended to support native mobile apps running on Android and iOS. Learn more in this free course from Curity: Getting Started with OAuth and OpenID Connect How Does OAuth 2.0 Help API Access Management? There’s little doubt that OAuth 2.0 has transformed API security and access management. The framework has increasingly simplified user engagement with applications while still securing their personal information. Simply put, using OAuth2.0, it has become possible for an application to access the user’s data without the need for exposing the user’s credentials to the application. The API will grant access to the resource owner (user) only when it receives a valid and time-restricted token from the application that’s generated through the OAuth 2.0 framework. However, it is essential to note that OAuth2.0 is not an authentication protocol in the traditional sense. Moreover, OAuth 2.0 can’t secure APIs on its own. It needs a few more tools and protocols to protect the APIs from malicious requests and data, and act as a comprehensive access management platform.