OAuth 2.0
In today's interconnected digital ecosystem, security and user privacy are paramount. One of the most widely used methods to grant third-party applications access to users’ data without exposing sensitive credentials is OAuth 2.0. Whether it’s a mobile app, web service, or an enterprise platform, OAuth 2.0 serves as a secure mechanism to allow users to authorize third-party apps to access their data, typically without revealing their usernames and passwords.
OAuth 2.0 is an authorization framework that enables a third-party application to access resources (such as data or services) on behalf of a user. It works by using access tokens issued by an Authorization Server. These tokens are used to authenticate API requests, allowing third-party apps to perform actions on behalf of the user, while minimizing security risks associated with handling user credentials.
Unlike traditional authentication models where the client has access to the user’s username and password, OAuth 2.0 ensures that users never have to directly share their credentials with third-party services. Instead, they authenticate via an authorization server, which then issues access tokens with specific scopes (permissions).
OAuth 2.0 is an industry standard protocol which allows you to grant a third-party website or an application (i.e., a client) delegated access to the protected resources of Zoho via Zoho APIs. It is a way to authenticate and authorize API requests
Components of OAuth 2.0
OAuth 2.0 consists of several key components that interact to facilitate secure authorization:
Resource Owner:
The user who owns the data or resources the third-party app wants to access.
Client:
The third-party application requesting access to the resource owner’s data (e.g., a mobile app or web app).
Authorization Server:
The server responsible for authenticating the user and issuing access tokens to the client app.
Resource Server:
The server hosting the user’s data (e.g., Google, Facebook, or Dropbox).
Access Token:
A temporary token that grants access to the resource server, used by the client to make authorized API requests.
Refresh Token:
A long-lived token used to obtain new access tokens after the original access token expires, without needing the user to re-authenticate.
Key Features of OAuth 2.0
Token-Based Authentication:
With Zoho OAuth 2.0, once a user approval is granted, an access token is issued to the third-party application. This token removes the need for sharing login credentials, thereby minimizing risks associated with password leaks.
Scoped Access:
OAuth 2.0 offers granular permission grants through the concept of scopes. This means that users can control what level of access a third-party app receives, ensuring that only the necessary data is shared.
User Autonomy:
One of the significant benefits of OAuth 2.0 is that users retain control over their data. They can revoke access tokens at any time, which prevents unauthorized access after the token has been issued.
Interoperability:
Zoho’s implementation of OAuth 2.0 complies with industry standards, enabling seamless integration with various third-party applications and services. This flexibility allows businesses to choose the tools that best meet their needs without security concerns.
Improved User Experience:
OAuth 2.0 enables Single Sign-On (SSO) capabilities, which simplifies the user experience. Users can log into multiple applications using a single set of credentials, reducing the burden of remembering different passwords.
Configuring OAuth 2.0 in Zoho API console:
Register your app and get OAuth credentials
The first step in using OAuth authentication is registering your app with the Zoho API console. Once you register your client, you will get a Client ID and Client secret for your application. This Client ID and Client secret are used to authorize your app's OAuth requests.
Obtain an access token
Access token is an OAuth token used to access Zoho's protected resources. The way in which the access token can be generated depends on the type of app. For example, server-based apps can use the authorization code flow to generate an access token, while client-based apps can use the implicit flow to generate an access token. However, in any method, access token will be provided only after the user grants permission through consent. Also, access tokens are always granted for the specific scopes which are mentioned in the request, and the scopes will be displayed to the user while asking for permission.
To learn about the workflows for different types of clients, refer to the below pages:
∙ Server-based apps
∙ Client-based apps
∙ Mobile & desktop apps
∙ Non-browser apps (i.e., apps for limited input devices)
∙ Self client
Access the resource using the access token
After your app has the access token, it can access Zoho's protected resources. On giving the access token to the resource server, your app will be granted access as per the scopes defined in the request. Zoho's OAuth implementation uses Bearer authentication scheme, hence while making API calls, the access token has to be passed in the Authorization header with the prefix Zoho-oauthtoken.
Refresh the access token when it expires
Access tokens have limited validity, i.e., their lifetime is only 1 hour, post which they expire and cannot be used to access the resources any longer. However, if the app wants to access the resource for more than 1 hour, then a refresh token can be retrieved and stored. This refresh token allows the app to generate a new access token whenever required.
Revoke unwanted tokens
If a refresh token is no longer required or appears to be compromised, it can be revoked and made invalid. It can be revoked by making an API request and after successful revocation, it can no longer be used to generate access tokens, and the existing access tokens generated using this refresh token will also become invalid.
Revoke OAuth tokens
OAuth tokens can be revoked in two ways:
Users themselves can remove the tokens for the apps they've granted permission to. To revoke:
Sign in at accounts.zoho.com.
Click Sessions in the left menu, then scroll down to Connected Apps.
To revoke token for an app, hover over the app and click Revoke Access.
Click Yes, Proceed.
Programmatically, OAuth tokens can be revoked by making a POST request to the endpoint oauth/v2/token/revoke. Both access tokens and refresh tokens can be revoked. If an access token is generated using a refresh token and it's revoked, the corresponding refresh token also gets revoked
OAuth token limits
When a client wants to generate OAuth tokens (i.e, access tokens and refresh tokens ), we've applied some limits regarding how many tokens can be stored and how many requests can be sent at a time.
These limits are applied for the following reasons:
∙ To make it easier for clients to store and maintain the OAuth tokens.
∙ To make sure that a malicious client doesn't take up the resources which would otherwise be used for genuine clients.
∙ To avoid over-working of our app servers by handling multiple unnecessary requests.
The limits differ for access token, refresh token, and authorization code.
Limit for refresh token
At a time, a maximum of 20 active refresh tokens can be stored by a client per user (i.e, 20 refresh tokens for each user). After the count reaches 20 for a user, when the client requests for an additional token, a new token will be provided and the oldest token will be invalidated, making sure only 20 tokens remain at a time.
Limit for authorization code
Within 10 minutes, a client can generate a maximum of 10 authorization codes per user. If the limit is reached, "access_denied" exception will be thrown for the remaining time. Also, the validity of each authorization code is two minutes.
Multi DC support
Data protection and privacy laws in multiple countries state that user data can only be stored in data centers located on that country's soil. In compliance, Zoho has set up data centers in multiple countries. Each data center only holds the data of users who have registered at that domain. See the available data centers
When does this concept prove to be useful?
Clients require user data to execute their business logic. Clients such as extension programmers or plugin developers will have a user audience across all the data centers (DC), and will want to reach all of Zoho users. Such clients need to enable Multi DC support at Zoho API console to access Zoho's global user base.
If your app is present in the US data center and your app is going to be used by users present in the EU data center, then you need to enable EU DC support for your app. While making the initial request, you will be provided with the location of the user in the response. Using that, you will need to make the further API calls to the server URL corresponding to the concerned user's location.
Advantages of OAuth 2.0
Improved Security
∙ No Credentials Exposure: OAuth 2.0 eliminates the need for users to share their usernames and passwords with third-party applications.
∙ Short-Lived Tokens: The use of short-lived access tokens minimizes the risk if a token is compromised.
∙ Secure Delegation: The system enables limited access based on defined scopes, reducing exposure to unnecessary user data.
User Convenience
∙ Single Sign-On (SSO): OAuth 2.0 supports seamless SSO across multiple applications. Users can authenticate once and access multiple services without logging in each time.
∙ Minimal User Interaction: After initial authorization, users do not need to interact with the system repeatedly.
Flexibility
∙ OAuth 2.0 supports different types of client applications, such as web, mobile, and server-to-server communication.
∙ It also offers multiple authorization flows (Authorization Code, Implicit, Client Credentials, and Resource Owner Password Credentials) tailored for different use cases.
Wide Adoption
∙ OAuth 2.0 is a standard used by major tech companies like Google, Facebook, Microsoft, and Twitter, making it easier to integrate with widely used services.
OAuth scope:
Scope limits the level of access the application can have when making requests to the resource server (to access protected resources). It is what enables the user to provide delegated access to the client. When the user is asked for permission to grant access to the client, the scopes defined in the request will be shown.
A Zoho OAuth scope has three parts:
Service name:
The name of the service the client is making API calls to. All Zoho products have a unique service name such as ZohoCRM, or ZohoRecruit.Scope name:
The name of the module in the service the client needs access to. Each Zoho service is divided into different modules. You can view the scope names from the respective product's API docs.Operation type:
The type of operation that is permissible for the client. It can be ALL, READ, UPDATE, DELETE. (ALLgives access to perform all operations).
What does OAuth provide over other authentication methods?
∙ Clients are not required to support password authentication or store user credentials, because the authentication and authorization is done by exchanging OAuth tokens.
∙ Clients gain delegated access, i.e., access only to resources authorized by the user.
∙ Users can revoke third-party application's delegated access anytime.
∙ OAuth access tokens expire after a set time. If the client faces a security breach, user data will be compromised only until the access token is valid.
Summary:
OAuth 2.0 stands out as a robust and user-friendly authentication framework that prioritizes security and usability. By implementing OAuth 2.0, businesses can enhance their security postures, streamline user experiences, and maintain a high level of control over their data. Whether you are a small business or a large enterprise, understanding and leveraging OAuth 2.0’s features can lead to safer and more efficient use of cloud applications.
For more insights on leveraging Zoho and ensuring seamless integration in your workflow, feel free to reach out to us at sales@elitetechpark.com. Let's embark on a journey toward creating a more secure and user-friendly digital workspace!
