Question: Explain OAuth to me like I’m 5

Me??

OAuth can be viewed as a special secret card like your country’s national identity card. This card has been granted to you by a central authority (your country) who knows you well and can confirm who you are. This special card lets you access different services within the country without giving your personal information away to every private company that needs to know who you are before giving you access to use their service.

Now, this particular card has some rules written on it. This rule says that these companies can only keep your card for a while. It also says that they can’t roam around trying to gather more information about you using that card.

In the same way, OAuth is an authentication and authorization protocol that allows users to grant limited access to their resources (like personal data or online accounts) to other applications or services, without sharing their actual username and password. It keeps your personal information safe and ensures the website or app doesn't access things it shouldn't.

Here's how it works technically:

1. When a user clicks on Sign In (e.g., sign in with Google), the website (i.e. client application) initiates the OAuth process and sends a request to the OAuth provider i.e. Google (also known as the Auth server).

2. The user is then presented with an authorization prompt from the OAuth provider. This prompt is to confirm whether they want to grant your client application or website access to their account.

3. Once the user inserts their credentials or provides consent, the OAuth provider validates the credentials and issue an authorization grant to the client application (website). This authorization grant serves as proof that the user has authorized the client application (websites) to access their resources. The authorization grant type could be a code or client credentials.

4. After the user returns to the client application using the redirect URL you (developer) provided in the OAuth app settings, the client application grabs the code from the URL and then uses it to request an access token. Afterwards, it sends the authorization grant to the OAuth provider, along with its client credentials (client ID and client secret) to prove its identity.

5. The OAuth provider verifies the authorization grant and client credentials. If they are valid, the provider issues an access token to the client application. The access token is that long, random string with an expiration time that we (frontend developers) use in our API requests to get the information we need. This token acts as a "key" to access the user account for a limited time and with limited permissions.

6. The client application ensures to include this access token in its API request to the resource server to enable it to communicate with the OAuth provider. This resource server hosts protected resources, such as user data or APIs. In many cases, the backend server of an application acts as the resource server.

7. The resource server receives the API request with the access token and validates it with the OAuth provider to ensure its authenticity.

8. If this access token is valid, the server processes the request and return the information that the client application needs.

?

N.B: The client server can continue to make different requests with this access token until it expires. If the token expires, the client application can request a new token using a refresh token.

And that’s it.

If you find this useful, kindly share it so that someone else can benefit.