Top OAuth 2 frequently asked interview questions.
- What is OAuth 2?
- What are the advantages of OAuth 2?
- What is Grant Type in OAuth 2?
- What are the different types of OAuth 2 Grants?
- Explain OAuth 2 - The Authorization Code Grant.
- Explain OAuth 2 - The Client Credentials Grant.
- Explain OAuth 2 - The Password Credentials Grant.
Q: What is OAuth 2?
A : OAuth (Open Authorization) is a simple way to publish and interact with protected data.It is an open standard for token-based authentication and authorization on the Internet. It allows an end user's account information to be used by third-party services, such as Facebook, without exposing the user's password.
Q: What are the advantages of OAuth 2?
A : Advantages of OAuth 2- OAuth 2 flexible protocol relies on SSL to ensure data between the web server and browsers remain private. SSL uses cryptography industry protocols to keep data safe.
- OAuth 2 uses tokenization to give limited access to the user's data. For example, instead of storing credit card information on Amazon's web site, the credit card number, security code and consumer name are each given "token" IDs. The tokens are given to the merchant, not the actual data.
- OAuth 2 is easy to implement and provides strong authentication. In addition to the two-factor authentication, tokens can be revoked if necessary (ie, suspicious activity).
- OAuth 2 uses single sign on
Q: What is Grant Type in OAuth 2?
A : In OAuth 2.0, the term "grant type" refers to the way an application gets an access token. OAuth 2.0 defines several grant types, including the authorization code flow. OAuth 2.0 extensions can also define new grant types.Q: What are the different types of OAuth 2 Grants?
A : The OAuth specification describes five grants for acquiring an access token:- Authorization code grant
- Implicit grant
- Resource owner credentials grant
- Client credentials grant
- Refresh token grant
Q: Explain OAuth 2 - The Authorization Code Grant.
A : Consider the use case of Quora. Go to Quora.com.If you are a new user you need to signup. You can signup using google or facebook account. When doing so you are authorizing Google or Facebook to allow quora to access you profile info with Quora. This authorizing is done using OAuth. Here you have in no way shared your credentials with Quora.
In the above example of Quora, we have 3 actors-
- Resource Owner - This is the user who wants to sign up using Quora.
- Client Application - This will be Quora
- Resource Server - This will be Gmail or Facebook.
- Authorization Server - The resource server hosts the protected user accounts, and the authorization server verifies the identity of the user then issues access tokens to the application.
The resource owner will then using OAuth authorize the resource server to share data with the client application.
The client application must first register with the authorization server associated with the resource server. This is usually a one-time task. Once registered, the registration remains valid, unless the client application registration is revoked. At registration the client application is assigned a client ID and a client secret (password) by the authorization server. The client ID and secret is unique to the client application on that authorization server.
For example if we click on Continue with Google, we get the following screen. Here we can see Quora client id.
Quora got this client id and a secret key when it registered with Google.
The actual authorization process that takes place between Quora and Google using OAuth is as follows-
- Spring Boot Client Application - We already have a unique client id -'javainuse' and secret key - 'secret'. We need to import data from Resource Server.
- Resource Server - Using OAuth we configure authorization server. It already has the unique key configured for recognizing our client application.
Q: Explain OAuth 2 - The Client Credentials Grant.
A : The Client Credentials Grant involves machine to machine authentication. Oauth usually consists of following actors -- Resource Owner(User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
- Client Application - The machine that needs to be authenticated.
- Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
- Resource Server - The resource server is the OAuth 2.0 term for your API server. The resource server handles authenticated requests after the application has obtained an access token.
This type of Authentication does not involve any end-user. Unlike Authorization Grant where the end user had to authenticate himself using Authorization Server like Gmail, here the machine it self authenticates itself to access a protected resource.
Trivago server will be accessing several third party APIs to show search results. Machine to machine authentication will be done by the Trivago server to access the third party API's to get the hotel data. Suppose it wants search data from makemytrip.com, so Trivago Server will authenticate itself by calling makemytrip's authorization server to get access token and then using this token access the makemytrip resource server to get the search result.
Client Credentials Grant Example
Q: Explain OAuth 2 - The Password Credentials Grant.
A : Oauth password grant usually consists of following actors -- Resource Owner(User) - An entity capable of granting access to a protected resource. When the resource owner is a person, it is referred to as an end-user.
- Client Application - The machine that needs to be authenticated.
- Authorization Server - The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization
- Resource Server - The resource server is the OAuth 2.0 term for your API server. The resource server handles authenticated requests after the application has obtained an access token.
-
Call to the Authorization Server to get the token.
Parameter Value grant_type (required) client_credentials client_id(required) The client id client_secret(required) The client secret key username(required) The username of the user password(required) The password of the user - After getting the token from the authorization server, the client application then needs to use this for getting resource from the resource server.
Password Credentials Grant Example
See Also
Spring Boot Interview Questions Apache Camel Interview Questions Drools Interview Questions Java 8 Interview Questions Enterprise Service Bus- ESB Interview Questions. JBoss Fuse Interview Questions Angular 2 Interview Questions