OAuth Explained
a year ago
- #Security
- #OAuth
- #Authorization
- OAuth is designed to solve authorization problems, not authentication.
- OAuth allows LinkedIn to import Google contacts without needing the user's Google password.
- The process involves redirecting the user to Google's OAuth consent page, where they approve access.
- Google provides a one-time code to LinkedIn, which is exchanged for an access token.
- LinkedIn uses the access token to fetch the user's contacts via Google's API.
- The client_id and client_secret are used to verify LinkedIn's identity.
- OAuth 2.0 relies on HTTPS for security and uses bearer tokens instead of signed requests.
- The state parameter is critical for preventing CSRF attacks.
- A Node.js example demonstrates handling OAuth 2.0 login with Google and storing user data in SQLite.