Wednesday, 2 December 2015

oAuth2: A Conversation

I sometimes try to view protocols as conversations between actors in order to aid my comprehension - the anthropomorphising of computer interactions, if you will. I imagine oAuth2 to go something like this (in the context of a web server)...

The actors:
  • You
  • A Desired Service (ADS) - a service you'd like to use
  • oAuth2 Implementer (oAI) - a service you've trusted with your details
You to ADS:  Hello, I'd like to use your service

ADS: Okay, in order to use the service I provide I need you to create an account. I can make this easier for you if you already have an account with (Google | FB | Twitter | etc.) - someone who already knows the information I need to know.

You: I have a Google account, we can use that.

ADS: Cool, in that case I'm going to send you to over to Google to login and they'll send you back to me when you're done.

ADS to oAI: Hey, Google, it's ADS, I'm sending you someone and I want to know their email address, name and phone number. Send them back to this address when you're done.

 ~ you arrive at the oAI (Google)~

aOI: Okay, so who are you?

You: I'm me, I'll login to prove it.

aOI: Hello You. The service that sent you here wants to know your email address, name and phone number, is that cool?

You: Yes, that's fine.

aOI: Alrighty.  When ADS registered with me they specified after people have logged in successfully and agreed to the things it wants access to, there are a predefined list of URLs I can send you back to, of which https://ads.com/oauth2-return-page, which arrived alongside you, is one. I'll send you back there with this authorisation code which ADS can exchange for an access token in order to ask me about your email address, name and phone number.

~ you arrive back at ADS ~ 

ADS: Nice to see you again. I can see you've logged in with Google successfully. I'll just use that authorisation code to request an access token which I'll use to request your details, then I'll create you an account.

ADS to oAI: Hey, I've got this authorisation code, can I get the associated access token.

oAI to ADS: Sure, here you go.

ADS to oAI: Hey, I've got this access token. Can you tell me the email address, name and phone number associated with it?

oAI to ADS: Yup, here you go.

And that, crudely, is how I understand oAuth2 works when web servers are talking to each other.