Discuss this help topic in SecureBlackbox Forum

OAuth: Prerequisites to using OAuth2

The protocol has been designed to authenticate users of online projects using the third-party authentication servers. This was made in order not to create an account on each site, and use the existing account, such as a Google or Facebook account, to access, say to the mail server, task list etc .

To use the protocol in desktop applications you would need:

  • an HTTPS client to establish an OAuth session with the authentication server;
  • browser with JavaScript support. This is where the user will authenticate itself on the authentication server;
  • local HTTP server to receive the authentication code.

Before using the protocol it is necessary to register the application on the authentication server. To do this it's usually required to provide the application name, which will be shown to the user during authentication, and the URL, to which the authentication server will send the authorization code by redirecting the browser after the successful authentication. For the desktop application this URL can be specified as http://localhost:<port>/ . Some authentication servers allow not to specify the port number when registering the application in their console, and determine it dynamically before the authentication session is started, depending on which port is available on user's computer. Some servers allow to not register localhost as a redirection URL, i.e. such redirection is always allowed.

To use the authorization server you need to know the following parameters:

  1. An URL of an authorization server - this is the URL of the authentication page, which will be shown to the user in the browser.
  2. An URL to receive the access token - this is where the authorization code, obtained after the successful authentication of the user in the browser, is sent. For Google this URL is https://accounts.google.com/o/oauth2/token
  3. Client ID and Client Secret identifiers, which were received on the authorization server when the application was registered.
  4. An URL, to which an authorization server will redirect the browser after authenticating the user, and where the application will wait for the authorization code. Some authorization servers have a special operation mode, which allows not to specify this redirect URL and not to run the local HTTP server to receive the authorization code. Instead they show the user the separate page in the browser, where they show the authorization code and offer to copy it to the application that needs the code.
  5. Some applications require that the application provides the list of resources (objects or operations), which the application is going to use. These are so-called "scopes". Scopes are text identifiers, which you need to take from the server's documentation. For example, to get user information on Google servers you need to specify the following scopes: https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile . Scopes can be composed of almost any text, not just an URL.

How To articles about client-side OAuth questions

Discuss this help topic in SecureBlackbox Forum