OAuth 2.0 - What Is An Authorization? Part 1 - Blog CSHARK OAuth 2.0 - What Is An Authorization? Part 1 - Blog CSHARK

IT Ocean blog

Blog subscription

16/04/19

OAuth 2.0 - What Is An Authorization? Part 1

OAuth 2.0 - What Is An Authorization? Part 1

Have you ever thought that you have lost your keys from your home? What did you think? Sometimes when I don’t have the keys to my apartment I can see in my imagination that thief staying next to the door to my flat with my key which I lost. He puts the key into the lock and opens the door. He goes to my home and takes my snowboard and toothbrush.

How this story is related to authorization?

The snowboard and the toothbrush are resources in authorization. The key is something special which allows us to access resources. The lock in the door is an authorization mechanism, an algorithm which checks if our key suits to the lock and if it does then the mechanism allow us to get resources. Sounds easy, huh? Look at our story the lock doesn’t check who tries to open the door. Authorization only checks if the key is valid, for authorization doesn’t know anything about who uses the key.

Authorization:

  • Checks if the user has an access to resources
  • It is an algorithm or a process
  • Doesn’t know who wants to have an access to resources
  • It is not an authentication

So what is an authentication and how to fit authentication to our example with the door? If the thief puts the key into the lock, then lock will check if the key is correct and if it is then, the lock will be able to recognize who is the owner of that key. The lock will recognize that the key which the thief put into the lock belongs to me - Tomasz. The lock won’t know that this key is someone else’s key.

Even in cartoons we can see examples of authorization. In the first 16 seconds of that movie you can see how proper authorization is important:

How can this cartoon teach us about authorization?

Johnny Bravo tries to enter a super secret club: the Lodge Brother. The club is the recourse in authorization. ‘The sum of the whole is equal to the square of its parts’ or ‘I like pie’ is the key which allow us to enter club. Authorization algorithm is a guy who opesn that small window listen a password, confirm if a password is correct, and if it is then opens the door to the club.

So let’s try to create the simplest authorization that we can think of. First of all let’s create a brand new solution in VS. We will use for that ASP.NET Core Web Application.

The best way to see how we can use authorization is to call REST API.

In our controller we have a get method with argument id.

using Microsoft.AspNetCore.Mvc;

namespace Lecture.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class ValuesController : ControllerBase
    {
        // GET api/values/5
        [HttpGet("{id}")]
        public ActionResult<string> Get(int id)
        {
            return "value ";
        }
    }
}

Let us change it a little bit to get as a result a value id.

using Microsoft.AspNetCore.Mvc;
 
namespace Lecture.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class ValuesController : ControllerBase
    {
        // GET api/values/5
        [HttpGet("{id}")]
        public ActionResult<string> Get(int id)
        {
            return "value " + id;
        }
    }
}

If we want to get the resource, we will use postman to call REST API: http://localhost:64313/api/values/5

At the moment everyone can call on our API and get a resource. Do you have an idea what is the easiest way that we can close that API to everyone? How we can easily introduce any kind of authorization?

The most easiest way of which I can come up how to create authorization is to add an extra parameter.

using Microsoft.AspNetCore.Mvc;
 
namespace Lecture.Controllers
{
    [Route("api/[controller]")]
    [ApiController]
    public class ValuesController : ControllerBase
    {
        // GET api/values/5
        [HttpGet("{id}")]
        public ActionResult<string> Get(int id, string pass)
        {
            if (pass == "secret")
                return "value " + id;
            return Unauthorized();
        }
    }
}

Let’s call an API: http://localhost:64313/api/values/5?pass=secret123

We get 401 Unauthorized because the password is incorrect.

Let us make correct password: http://localhost:64313/api/values/5?pass=secret

If somebody will say that nobody uses the key in the parameter you can't believe that person. There is a service which allows the user to access a resource base on the key which is a parameter: http://bibliaapi.com/docs/

If you write the wrong key, you won’t get any resource:

I think that authorization is important nowadays. It is quite a big challenge to make sure that different applications can secure sensitive data in a proper way.

The topic about authorization will be continued.