Blog | G5 Cyber Security

OAuth 2.0: User Access Authorization

G5 Cyber Security

TL;DR

This guide shows you how to authorize a user’s access in an OAuth 2.0 flow, typically after they’ve logged in and granted permission for your application to access their data on another service (like Google, Facebook, etc.). We’ll cover the key steps involved.

Authorizing User Access

  1. Understand the OAuth Flow: Before authorizing, remember the basic flow:
    • The user initiates a request for access from your application.
    • Your application redirects the user to the authorization server (e.g., Google’s login page).
    • The user logs in and approves or denies your application’s requested permissions.
    • If approved, the authorization server redirects back to your application with an authorization code.
    • Your application exchanges this code for an access token (and often a refresh token).
  2. Exchange Authorization Code for Access Token: This is the core step.
    • You’ll use a POST request to the authorization server’s token endpoint.
    • This request needs specific parameters:
      • grant_type: Set this to authorization_code.
      • code: The authorization code you received after user approval.
      • redirect_uri: The same redirect URI used in the initial authorization request. This is crucial for security!
      • client_id: Your application’s client ID.
      • client_secret: Your application’s client secret (keep this secure!).
  3. Example Request (using curl): This is a simplified example; the exact parameters may vary depending on the authorization server. 
    curl -X POST 
  -H "Content-Type: application/x-www-form-urlencoded" 
  -d 'grant_type=authorization_code&code=AUTHORIZATION_CODE&redirect_uri=YOUR_REDIRECT_URI&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' 
  https://accounts.google.com/o/oauth2/token
  4. Handle the Response: The authorization server will respond with a JSON object containing:
    • access_token: This token is used to access protected resources on behalf of the user. It has an expiration time.
    • refresh_token (optional): Used to obtain new access tokens when the current one expires, without requiring the user to re-authorize. Store this securely!
    • expires_in: The number of seconds until the access token expires.
    • scope: The permissions granted by the user.
  5. Securely Store Tokens: Never store tokens in plain text.
    • Use encryption at rest and in transit (HTTPS).
    • Consider using a secure token storage mechanism provided by your framework or platform.
  6. Using the Access Token: Include the access token in the Authorization header of your requests to protected resources. 
    Authorization: Bearer ACCESS_TOKEN
  7. Refresh Tokens (if available): When an access token expires, use the refresh token to obtain a new one. The process is similar to exchanging the authorization code, but with grant_type=refresh_token. 
    curl -X POST 
  -H "Content-Type: application/x-www-form-urlencoded" 
  -d 'grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' 
  https://accounts.google.com/o/oauth2/token
Exit mobile version