OAuth is a protocol that provides flows in order to exchange authorization and authentication information between a range of web-enabled applications and services. It enables third-party applications to get restricted access to user information from a service, for example, Facebook, Twitter, or GitHub.
Before we get into the details, it would be useful to review the terminology typically used with respect to OAuth 2 authentication.
Let's consider an example. Let's say we want to expose the Todo API to third-party applications on the internet.
The following are the important players in a typical OAuth 2 exchange:
- Resource owner: This is the user of the third-party application that wants to use our Todo API. It decides how much of the information available with our API can be made available to the third-party application.
- Resource server: This hosts the Todo API, the resource ;we want to secure.
- Client: This is the third-party application that wants to consume our API.
- Authorization server: This is the server that provides the OAuth service.