April 16th, 2019 | by Tomasz Jarzyński

OAuth 2.0: What is an Authorization?

Table of contents

    Have you ever thought that you have lost your keys from your home? What did you think? Sometimes when I don’t have the keys to my apartment I can see in my imagination that thief staying next to the door to my flat with my key which I lost. He puts the key into the lock and opens the door. He goes to my home and takes my snowboard and toothbrush. How this is related to the authorization?

    How this story is related to authorization?

    The snowboard and the toothbrush are resources in the authorization. The key is something special which allows us to access resources. The lock-in the door is an authorization mechanism, an algorithm which checks if our key suits to the lock and if it does then the mechanism allow us to get resources. Sounds easy, huh? Look at our story the lock doesn’t check who tries to open the door. Authorization only checks if the key is valid, for authorization doesn’t know anything about who uses the key.

    Authorization:

    • Checks if the user has access to resources
    • It is an algorithm or a process
    • Doesn’t know who wants to have access to resources
    • It is not an authentication

    So what is authentication and how to fit authentication to our example with the door? If the thief puts the key into the lock, then the lock will check if the key is correct and if it is then, the lock will be able to recognize who is the owner of that key. The lock will recognize that the key which the thief put into the lock belongs to me – Tomasz. The lock won’t know that this key is someone else’s key.

    Even in cartoons, we can see examples of authorization. In the first 16 seconds of that movie you can see how proper authorization is important:

    How can this cartoon teach us about authorization?

    Johnny Bravo tries to enter a super-secret club: the Lodge Brother. The club is the recourse in the authorization. ‘The sum of the whole is equal to the square of its parts’ or ‘I like pie’ is the key which allows us to enter the club. Authorization algorithm is a guy who opens that small window listens to a password, confirm if a password is correct and if it then opens the door to the club.

    So let’s try to create the simplest authorization that we can think of. First of all, let’s create a brand new solution in VS. We will use for that ASP.NET Core Web Application.

    cshark_blog_Authorization_in-text-1

    The best way to see how we can use authorization is to call REST API.

    cshark_blog_Authorization_in-text-2

    In our controller, we have a get method with argument id.

    using Microsoft.AspNetCore.Mvc; namespace Lecture.Controllers { [Route(“api/[controller]”)] [ApiController] public class ValuesController : ControllerBase { // GET api/values/5 [HttpGet(“{id}”)] public ActionResult<string> Get(int id) { return “value “; } } }

    Let us change it a little bit to get as a result a value id.

    using Microsoft.AspNetCore.Mvc; namespace Lecture.Controllers { [Route(“api/[controller]”)] [ApiController] public class ValuesController : ControllerBase { // GET api/values/5 [HttpGet(“{id}”)] public ActionResult<string> Get(int id) { return “value ” + id; } } }

    If we want to get the resource, we will use postman to call REST API: https://localhost:64313/api/values/5 

    cshark_blog_Authorization_in-text-3

    At the moment everyone can call on our API and get a resource. Do you have an idea what is the easiest way that we can close that API to everyone? How we can easily introduce any kind of authorization?

    The most easiest way of which I can come up how to create authorization is to add an extra parameter.

    using Microsoft.AspNetCore.Mvc; namespace Lecture.Controllers { [Route(“api/[controller]”)] [ApiController] public class ValuesController : ControllerBase { // GET api/values/5 [HttpGet(“{id}”)] public ActionResult<string> Get(int id, string pass) { if (pass == “secret”) return “value ” + id; return Unauthorized(); } } }

    Let’s call an API: https://localhost:64313/api/values/5?pass=secret123 

    cshark_blog_Authorization_in-text-4

    We get 401 Unauthorized because the password is incorrect.

    Let us make the correct password: https://localhost:64313/api/values/5?pass=secret 

    cshark_blog_authorization_in-text-5

    If somebody will say that nobody uses the key in the parameter you can’t believe that person. There is a service which allows the user to access a resource base on the key which is a parameter, which is called “Biblia.com API Documentation”.

    cshark_blog_Authorization_in-text-6

    If you write the wrong key, you won’t get any resource:

    cshark_blog_authorization_in-text-7

    I think that authorization is important nowadays. It is quite a big challenge to make sure that different applications can secure sensitive data in a proper way.

    Tomasz Jarzyński

    Former Software Developer at CSHARK. Using Microsoft stack since 2013. Software development is my passion, therefore I never work ;)