The social login authentication method is implemented based on OAuth 2.0 technology.
Unlike the server that handles authentication directly, OAuth 2.0 is a method that mediates authentication. Protocol that simplifies the process of authorizing clients to access permitted information.
Web service(Github, Google, FB) replaces the user's authentication, after issuing token for access rights, authentication is possible on my server based on token.
OAuth Related terms
-
Resource Owner : user in access.
-
Client : Clients are applications that access resources.
-
Resource server : Server that can accept and respond to client requests.
-
Authorization server : The server that issues the Resource Server Access Token.
-
Authorization grant : Access Token's credentials, including permissions.
-
Authorization code : This is the code required before the Access Token is issued.
-
Access token : Credentials used to access resources.
-
Scope : Token's permissions are defined.
Grant Type?
This is how the Client obtains an Access Token.
-
Authorization Code Grant Type
-
Refresh Token Grant Type
Authorization Code Grant Type
This is the most common method.
The authorization code procedure is enhancing security.
Order to be issued an Access Token, Client only receives the Code from the Authorization Code and requests the Access Token from the Server.
Refresh Token Grant Type
From the user's point of view, updating is cumbersome. Therefore, Refresh Token Grant Type allows users to maintain login without continuously reissuing Access Tokens.
Why use OAuth?
From the user's point of view, it is cumbersome to continue registering as a member when using each service. Therefore, if social login is possible, there is no need to memorize IDs and passwords one by one.
Social login logic
- Request Authorization Code (Client to OAuth)
- Grant Authorize Code through Redirect Uri (OAuth to Client)
- Pass Authorization Code (Client to Server)
- Request Access Token to Authorization Code (Server to OAuth)
- Grant Access Token (OAuth to Server)
- Pass Access Token (Server to Client)
