#3. OAuth 2.0 Flow – What Is An Access Token?

Introduction

I have explained the Flow of OAuth 2.0 in the previous post. In Step C – Request Access Token, I mentioned that the client requests an access token from the Authorization server using the Authorization grant received in step B. We will learn more about Access Token in this post.

Learn From My YouTube Video

Video tutorials help in better learning. You must watch the video below. But it is always a good practice to read and understand the articles as well.

OAuth 2.0 Flow Diagram

Access Token

It is not a good idea to share the credentials of a resource owner with clients. In the OAuth 2.0 flow, the authorization server issues a string representing the authorization on behalf of the resource owner to the client. Obviously, the resource owner needs to provide consent to the client first. Now the client can access the protected resource of the resource owner by presenting provided access token to the resource server.

An access token is an opaque string. It is not possible to understand or read through the access token. The resource server must be able to understand and validate the access token provided by a client.

Below is an example of the access token –

ya29.a0AVvZVso2p6SPMtqPpVA4xvqiULI5Jf_J5Xm0J8YiKOuXZfDqon7b0hW8hI8R0_4oREs534aJsa2hPEWf4193STMx3uY7h54HhZfQa93X87PDorglSxW67QmW29Smh-Q3OLcvQ8wC_SgB75UDB_6JFLXSf5-nyojOaCgYKAYUSAQASFQGbdwaIsRDrmFSwqNjQSnttGfEYew0167

An access token is issued with scopes. A scope is a way to define the access level for a client. In layman’s terms, in a project, some team members will have both read and write access to project documents while some members might have only read access. Similarly, in OAuth 2.0 flow, scopes are used to provide a way to limit the amount of access that is granted to an access token.

When we create a Google account then we can use all google products with the same credentials. For example – if you create a GMail account then you can access Google Drive, YouTube, Google Calendar, etc with the same credentials. If we share our credentials with clients then it is not safe as clients can access and perform actions whatever they want.

But an access token is generated with a scope that defines the level of access. For example – a client can access only Gmail and Google Drive not others. It is also possible to restrict further within Gmail and Drive.

An access token may have a duration of access (expiration time) as granted by the resource owner and enforced by the resource server and authorization server.

Access tokens can have different formats, structures, and methods of utilization based on the resource server security requirements. Bearer token and JSON Web Token (JWT) are mostly used access tokens in OAuth 2.0 flow.

Thanks for reading. Kindly comment for any feedback and suggestions.