OAuth is an authentication method that uses codes and tokens to authorize access without sharing credentials. There have been two phases of the open-standard authentication method and the industry has adopted OAuth 2.0 (which is backwards compatible). The days of sharing credentials with a user name and password are over. Google, GitHub, Vimeo, QuickBooks Online, Sage One, and many more sites on the web are using this standard. So let’s learn more about it…
Typically, there are a number of communication points during the OAuth process. First, you must register your application in the end program and obtain both a Client ID and Client Secret. These keys are essential to keep as they will be a part of the subsequent calls to come. For example, a Google integration will require you to obtain the Client ID and Secret from the Google Developer Console.
Next, you will call an authorization server to obtain an “authorization code”. This is done via an HTTP Post with a number of parameters or can sometimes be used in a simple copy/paste in a web browser. It is imperative to get the parameter names and expected values from the calling program. These details can typically be found in their documentation. Below is an example from Google. The parameter names are: redirect_uri, response_type, client_id, and scope. The parameter values are the items found after the equals signs.
?redirect_uri=urn:ietf:wg:oauth:2.0:oob
&response_type=code
&client_id=client_id_here
&scope=https%3A%2F%2Fmail.google.com%2F
This will return the “Authorization Code” that we will use in subsequent calls.
Next, you’ll use the “Authorization Code” to obtain an “Access Token” and other items. Note how you’ll at least need the Authorization Code, Client ID, and Client Secret that you’ve been provided previously in this call. The call is done via an HTTP Post. Here’s an example:
?grant_type=authorization_code
&client_id=client_id_here
&client_secret=client_secret_here
&redirect_uri=urn:ietf:wg:oauth:2.0:oob
&code=authorization_code_here
This will return a response that will obtain multiple items, but typically it’ll have an “Access Token”, an “Expiration”, and a “Refresh Token”. Given the fact that the response contains an expiration, you’re going to want to use the token to POST/GET the data you want. If you plan on making future calls, make sure to keep the “Refresh Token”. This token will be used to obtain other “Access Tokens” to perform other POST/GET commands.
If you need to continue using an Access Token, you’re going to need to request a new Access Token depending upon the expiration date. This can be done using the Refresh Token that you were provided in the previous call. Use the Refresh Token and the following example to obtain a new Access Token:
?client_id=client_id_here
&client_secret=client_secret_here
&refresh_token=refresh_token_here
&grant_type=refresh_token