OAuth2 Introduction
OAuth 2.0 is an industry-standard protocol for authorization that allows third-party applications to obtain limited access to a user's account on iiniit.
What is OAuth 2.0?
OAuth 2.0 is an authorization framework that enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
Why Use OAuth 2.0?
OAuth 2.0 provides several benefits for both users and developers:
- Security: Users don't need to share their credentials with third-party applications
- Limited Access: Applications can request only the permissions they need
- Revocable Access: Users can revoke access to applications at any time
- Standardized: Widely adopted industry standard
OAuth 2.0 Roles
OAuth 2.0 defines four roles:
- Resource Owner: The user who authorizes an application to access their account
- Client: The application that wants to access the user's account
- Resource Server: The API server that hosts the protected user accounts
- Authorization Server: The server that authenticates the user and issues access tokens
OAuth 2.0 Flow
The basic OAuth 2.0 flow works as follows:
- The client requests authorization from the resource owner
- The resource owner authorizes the request
- The client receives an authorization grant
- The client requests an access token from the authorization server
- The authorization server authenticates the client and validates the authorization grant, and if valid, issues an access token
- The client requests the protected resource from the resource server and presents the access token for authentication
- The resource server validates the access token, and if valid, serves the request
OAuth 2.0 Flow Diagram
Grant Types
OAuth 2.0 defines several grant types, each suited for different use cases:
Authorization Code
Used by web applications executing on a server. This is the most common grant type.
Best for: Server-side web applications
Scopes
Scopes define the specific actions applications can perform on a user's behalf. When requesting authorization, applications should request only the scopes they need.
iiniit supports the following scopes:
| Scope | Description |
|---|---|
user:read |
Read the user's basic profile information |
user:write |
Write to the user's profile information |
Next Steps
Now that you understand the basics of OAuth 2.0, you can:
- Create an OAuth app in the iiniit developer portal
- Learn how to authenticate users with OAuth 2.0
- Understand authorization and how to request specific permissions
- Learn about refresh tokens and how to maintain long-lived access