Search Tutorials


Top OAuth 2 (2021) Interview Questions | JavaInUse

Top OAuth 2 frequently asked interview questions.

In this post we will look at OAuth 2 Interview questions. Examples are provided with explanations.


  1. What is OAuth 2?
  2. What are the advantages of OAuth 2?
  3. What is Grant Type in OAuth 2?
  4. What are the different types of OAuth 2 Grants?
  5. Explain OAuth 2 - The Authorization Code Grant.
  6. Explain OAuth 2 - The Client Credentials Grant.
  7. Explain OAuth 2 - The Password Credentials Grant.

Q: What is OAuth 2?

A : OAuth (Open Authorization) is a simple way to publish and interact with protected data.
It is an open standard for token-based authentication and authorization on the Internet. It allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.

Q: What are the advantages of OAuth 2?

A : Advantages of OAuth 2
  • OAuth 2 flexible protocol relies on SSL to ensure data between the web server and browsers remain private. SSL uses cryptography industry protocols to keep data safe.
  • OAuth 2 uses tokenization to give limited access to the user's data. For example, instead of storing credit card information on Amazon's web site, the credit card number, security code and consumer name are each given "token" IDs. The tokens are given to the merchant, not the actual data.
  • OAuth 2 is easy to implement and provides strong authentication. In addition to the two-factor authentication, tokens can be revoked if necessary (ie, suspicious activity).
  • OAuth 2 uses single sign on

Q: What is Grant Type in OAuth 2?

A : In OAuth 2.0, the term "grant type" refers to the way an application gets an access token. OAuth 2.0 defines several grant types, including the authorization code flow. OAuth 2.0 extensions can also define new grant types.

Q: What are the different types of OAuth 2 Grants?

A : The OAuth specification describes five grants for acquiring an access token:
  • Authorization code grant
  • Implicit grant
  • Resource owner credentials grant
  • Client credentials grant
  • Refresh token grant

Q: Explain OAuth 2 - The Authorization Code Grant.

A : Consider the use case of Quora. Go to Quora.com.
If you are a new user you need to signup. You can signup using google or facebook account. When doing so you are authorizing Google or Facebook to allow quora to access you profile info with Quora. This authorizing is done using OAuth. Here you have in no way shared your credentials with Quora.

boot-39_1
In the above example of Quora, we have 3 actors-
  • Resource Owner - This is the user who wants to sign up using Quora.
  • Client Application - This will be Quora
  • Resource Server - This will be Gmail or Facebook.
  • Authorization Server - The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application.
In this tutorial we will be implementing our own client application and resource server.
The resource owner will then using OAuth authorize the resource server to share data with the client application.
The client application must first register with the authorization server associated with the resource server. This is usually a one-time task. Once registered, the registration remains valid, unless the client application registration is revoked. At registration the client application is assigned a client ID and a client secret (password) by the authorization server. The client ID and secret is unique to the client application on that authorization server.
For example if we click on Continue with Google, we get the following screen. Here we can see Quora client id.
boot-39_2
Quora got this client id and a secret key when it registered with Google.
The actual authorization process that takes place between Quora and Google using OAuth is as follows-
boot-39_3
Similar to the above flow we will be developing our own client application and Resource Server. Using OAuth the Resource server will then share the data with the client application. Also we will be assuming that the client is already registered with the Resource Server and has been assigned a unique client id and secret key.
  • Spring Boot Client Application - We already have a unique client id -'javainuse' and secret key - 'secret'. We need to import data from Resource Server.
  • Resource Server - Using OAuth we configure authorization server. It already has the unique key configured for recognizing our client application.
Authorization Code Grant Example

Q: Explain OAuth 2 - The Client Credentials Grant.

A : The Client Credentials Grant involves machine to machine authentication. Oauth usually consists of following actors -
  • Resource Owner(User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
  • Client Application - The machine that needs to be authenticated.
  • Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  • Resource Server - The resource server is the OAuth 2.0 term for your API server. The resource server handles authenticated requests after the application has obtained an access token.
In case of Client credentials grant type the user has no role to play. As previously stated it is machine to machine communication. This is typically used by clients to access resources about themselves rather than to access a user's resources.
Spring Boot OAuth2 Client Credentials Grant
This type of Authentication does not involve any end-user. Unlike Authorization Grant where the end user had to authenticate himself using Authorization Server like Gmail, here the machine it self authenticates itself to access a protected resource.
For example consider Trivago, a hotel aggregator portal which will be our client application.
Spring Boot OAuth2 Client Credentials Grant Example
Trivago server will be accessing several third party APIs to show search results. Machine to machine authentication will be done by the Trivago server to access the third party API's to get the hotel data. Suppose it wants search data from makemytrip.com, so Trivago Server will authenticate itself by calling makemytrip's authorization server to get access token and then using this token access the makemytrip resource server to get the search result.
Client Credentials Grant Example

Q: Explain OAuth 2 - The Password Credentials Grant.

A : Oauth password grant usually consists of following actors -
  • Resource Owner(User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
  • Client Application - The machine that needs to be authenticated.
  • Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
  • Resource Server - The resource server is the OAuth 2.0 term for your API server. The resource server handles authenticated requests after the application has obtained an access token.
In case of Password grant type the user triggers the client to get some resource. While doing so it passes the username and password to the client. The client then communicates with the authorization server using the provided username, password and also its own clientId and clientSecret to get the access token. Using this access token it then gets the required resource from the resource server.
Spring Boot OAuth2 Password Grant
So 2 calls are required to be made by the client application to get the resource-
  • Call to the Authorization Server to get the token.
    Parameter Value
    grant_type (required) client_credentials
    client_id(required) The client id
    client_secret(required) The client secret key
    username(required) The username of the user
    password(required) The password of the user
  • After getting the token from the authorization server, the client application then needs to use this for getting resource from the resource server.
The real life example of Password grant will be you doing a login to you facebook account using its mobile application. Here the user will have to specify the facebook credentials to the app. Also the app will be having its own client id and client secret.
Spring Boot OAuth2 Facebook Password Grant
Password Credentials Grant Example

See Also

Spring Boot Interview Questions Apache Camel Interview Questions Drools Interview Questions Java 8 Interview Questions Enterprise Service Bus- ESB Interview Questions. JBoss Fuse Interview Questions Angular 2 Interview Questions