While the previous module focused on securing the wireless transport layer, we now move to the application layer. OAuth 2.0 is not an authentication protocolβit is an authorization framework that allows a third-party application to obtain limited access to an HTTP service.
Understanding OAuth requires mapping the relationship between four distinct entities. If any of these roles are confused or improperly implemented, the entire trust chain collapses.
Crucial Distinction: OAuth is about 'What are you allowed to do?' (Authorization), while OpenID Connect (OIDC) is about 'Who are you?' (Authentication).
| Role | Technical Name | Real-World Example |
|---|---|---|
| The User | Resource Owner | You (the person with the Google account) |
| The App | Client | A third-party Calendar app |
| The Validator | Authorization Server | accounts.google.com |
| The Data Holder | Resource Server | www.googleapis.com/calendar/v3 |
The core logic follows a simple exchange: the Resource Owner grants permission to the Client, the Authorization Server issues a Token, and the Client presents that Token to the Resource Server to access data.
π‘ Access Tokens are like hotel key cards: they give you access to specific rooms for a limited time, regardless of how you checked in.
{
"access_token": "eyJhbGciOiJIUzI1NiI...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "tG6789xyz",
"scope": "read:profile write:calendar"
}The JSON response above is what the Client receives. The 'scope' defines the specific permissions granted, preventing the app from having full administrative access to the account.
If an Access Token is leaked, any attacker who possesses it can impersonate the user until the token expires, as most Resource Servers only check the token's validity, not the requester's identity.
Never pass the Access Token in a URL query parameter; always use the Authorization header to avoid leakage in server logs.
Verify exercises to earn β 200 XP and unlock next lab level.