00 Introduction Why Learn OAuth 2 #

Introduction: Why Learn OAuth 2.0? Hello, I’m Wang Xindong, a senior architect at JD.com. I am mainly responsible for the architecture work of JD.com’s merchant open platform. In the upcoming time, I will guide you in learning OAuth 2.0, an authorization protocol.

Since joining JD.com in 2014, I have been involved in the technology related to the open platform, mainly including the gateway and authorization. In the first few years, I always believed that the gateway was the core of the open platform, playing a pivotal role. After all, the gateway needs to handle the entire call volume of the open platform and have sufficient system fault tolerance.

But as my understanding of the open platform deepened, I realized that the gateway and authorization were equally important, like the “two legs” of the open platform.

As for the “leg” of authorization, it not only needs to handle the access volume like the gateway, but also consider the development of business scenarios. What kind of business scenarios? Take WeChat login as an example. More and more third-party applications are providing users with solutions that allow them to log in using WeChat, reducing the complexity of user registration. And the underlying principle behind this solution is the OAuth 2.0 technology that we will cover in this course.

What is OAuth 2.0? #

So, what exactly is OAuth 2.0? Let’s analyze it literally. The term “OAuth 2.0” consists of the word “Auth,” which stands for “Authorization,” and the letter “O” is short for “Open,” indicating “Open Authorization.” This is why we often use OAuth in the context of open platforms.

By now, you may be wondering if there is OAuth 1.0 as well. And you’re correct. OAuth 2.0 is the successor of OAuth 1.0. Now, let me explain the differences between these two versions of OAuth.

During OAuth 1.0, its “big ambition” was to have one authorization mechanism that could cater to all real-world scenarios, such as web applications, mobile app applications, and official applications, among others. However, these scenarios are not entirely the same. For example, in the case of official applications, do you think it is still necessary for users to authorize? If yes, is it a good or bad experience for users to always use the same authorization mechanism?

With the emergence of OAuth 2.0, the “awkwardness” faced by OAuth 1.0 was addressed. OAuth 2.0 is no longer limited to one authorization mechanism. It expands the types of authorization grant mechanisms, including authorization code grant, client credentials grant, resource owner credentials grant, and implicit grant. With such OAuth mechanisms, it can flexibly adapt to various real-world scenarios, like those in mobile applications and official applications, among others.

Furthermore, OAuth 1.0 had drawbacks like fixed security vulnerabilities. Therefore, OAuth 1.0 is now considered obsolete. For us, it is sufficient to directly use OAuth 2.0.

Why do we have this course? #

In fact, OAuth 2.0 is not a new technology. Since the introduction of OAuth 1.0 in 2007 and the release of the OAuth 2.0 draft in 2011, there has been a lot of information about OAuth on the Internet. So when I first came across OAuth 2.0 and searched for these scattered resources, I thought OAuth 2.0 was simple, just authorization, and reading a couple of articles would be enough.

However, the seemingly simple OAuth 2.0 actually made me hesitant when it came to using the authorization code flow. For example, how should the authorization code flow be used in a web application? Can the authorization code flow still be used in a mobile app? When I searched for information online with these questions in mind, the disorganized information led me astray. I don’t know if you have also been troubled by the following questions:

When developing a web application and using OAuth 2.0, you worry about the interception of authorization codes but are at a loss for a better solution.

When developing a mobile app and using OAuth 2.0, you spend a lot of time figuring out whether a server-side is needed or not.

Later, I came across the book “OAuth 2 in Action” and it was like finding a treasure. It explains OAuth 2.0 in a very systematic way, giving me a more comprehensive and profound understanding of this protocol framework. It was this book that gave me enough courage to organize the knowledge system of OAuth that I have acquired over the years of working on open platforms. It was at this moment that I realized that once you have a direction, you have depth.

When I started to organize the OAuth 2.0-related technologies and practices I have mastered over the years, and planned to share them, I truly realized that OAuth 2.0 is indeed about authorization, but using this protocol correctly and effectively cannot be explained in just two articles. This is the original intention of me creating this course.

How is this course designed? #

In this course, I will divide it into two main modules: the basic module and the advanced module. Each module will include some practical content and explain OAuth 2.0 to you. Next, let me explain why I arranged it this way.

The first part is the basic module, which covers the fundamental knowledge of OAuth 2.0 that you must master. In this module, I will explain in detail the flow of the authorization code grant type, the communication methods between internal components of OAuth 2.0, and the principles of the authorization server, client (third-party software), and protected resource server components.

On this basis, I will also explain the principles of the other three common grant types: resource owner password credentials grant, implicit grant, and client credentials grant. I will also explain how to choose the appropriate grant type for your actual scenario. By doing so, you will be able to understand the operation mechanism of all grant types in OAuth 2.0 and use them confidently in real work environments.

In order to immerse you in the OAuth 2.0 scenario and facilitate your understanding of these concepts and flows, I will use an example of Xiao Ming using a third-party software called “Xiao Tu Printing Software” to print his order data from his JD.com store throughout the course.

What I can tell you is that after completing the content of the basic module, you will be able to apply OAuth 2.0 to practical work scenarios.

The second part, the advanced module, will focus on “advanced” use cases of OAuth 2.0, allowing you to learn how to use OAuth 2.0 more securely and extensively.

Therefore, this part of the content will include how to use OAuth 2.0 in mobile apps, the security vulnerabilities caused by improper use of OAuth 2.0, and how to use OAuth 2.0 to implement an OpenID Connect user authentication protocol. In addition, I have invited an expert in the field of microservices, Mr. Yang Bo, to share an architectural case based on OAuth 2.0/JWT for microservices.

Finally, to accompany the course and make the theory more practical, I have prepared a very simple and applicable code for you on GitHub implemented in Java.

The code is simple in the sense that besides basic servlet technology, I haven’t introduced any other third-party content. So as long as you can understand Request and Response, you will be able to understand this code.

The code is applicable in the sense that although it is a simple code, it not only runs all components of OAuth 2.0 but also includes a specific implementation of the OIDC protocol. Of course, I have left some TODOs in the code for you to practice and handle based on the context. This is an open-source project.

Here, I have summarized the knowledge system diagram of OAuth 2.0, and you can also get an overview of the knowledge structure of the entire course.

By completing this course, you will develop a keen “eye” in the field of internet authorization and be able to identify all traces of OAuth 2.0 usage, such as the WeChat login scenario. Even without packet capturing and analysis, you will be able to understand the principles behind it and lay a foundation for quickly familiarizing yourself with similar scenarios on the internet in the future.

Finally, I would like to formally get to know you. You can make a self-introduction in the comment section and chat with me about your current difficulties and pain points in learning and using OAuth 2.0. Or you can also share your unique thoughts and experiences regarding OAuth 2.0 and authorization. Feel free to communicate and discuss with me in the comment section.

Alright, let’s now start our journey with OAuth 2.0.