What is oAuth 2.0 ?

Almost every one of us is using services of Google, Microsoft, Facebook, Apple etc., every day, either directly or indirectly. We see in most of the common websites have a feature to Sign up with Google, Facebook, Apple etc., Such feature is possible mainly because of having oAuth and OpenID Connect.

Before we jump in what oAuth is, it's important to understand what exactly means by authentication and authorization.

Authentication : Process of verifying who a user is. E.g : Logging into your email with username and password

Authorization : Process of verifying what access does the user has. E.g : Verify if the user has access to delete the files shared in Google Drive

Let's assume that you have a personal locker at the house and only you have the keys to open it. Everyone in the house (including you) has a separate key only to open the main door of the house. In this scenario, opening the main door of the house with the keys is like Authentication. Once you get into the house, only you're authorized to open the personal locker and no one else. It's called as authorization.

oAuth 2.0 is an Open Standard Authorization (shortened as oAuth) protocol used for authorization and OpenID connect is an identity layer on top of oAuth for authentication.

It's becoming quite common to see options like below when we sign-up or login to any of the sites which we use day-to-day. When there's such option it means that, behind the scenes, these applications are using oAuth 2.0 and OpenID Connect.

Let's take a common example use case. Assume that you have a study course in coursera and you want the assignment deadlines of the course to be automatically pushed to Google calendar. You're already logged into Coursera.

In this case we need to provide a grant to Coursera to access our Google Calendar. And coursera can use this grant to create, read or modify events in Calendar.

The oAuth authorization URL from Coursera to Google looks something like below,

https://authorization-server.com/auth?response_type=code &client_id=****

&redirect_uri=https://redirected-app.com/callback

&scope=calendarreadandwrite

&state=****

Explanation:

• response_type = code : Application is expected to receive the authorization code once the authorization is successful
• clientid : The client id is an identifier of the calling app (coursera in our case). We can get the client id when we register our app/website with Google to access Google services through oAuth
• redirecturi : One of the URL which the developer has registered while registering the app in Google. Normally authorization server would reject the request if the URL doesn't match.
• scope : It represents the accesses requested by the caller. E.g : read, write
• state : It is used to store request specific data. The authorization server should normally return back the state parameter as such in response.

Once we enter the credentials, we will asked for the consent like below,

Once you provide the consent, a temporary grant is given to Coursera for accessing the Google Calendar. The grant is provided my means of authorization code sent from Google to Coursera.

Sample Authorization Code : 4/3gEmN1LypvXC6VVEqGGV_V9zKQyuw8g923UhNF3XnPZvgssIrBz0HHs0yAW3-q-XxLrKQIy7GXwgt4XnE94

Once the caller has the authorization code (coursera in our case), it should call the oAuth server again with the authorization code to exchange it for access and refresh tokens.
Access Token : Used to access the resource server (Google calendar in our case). This is normally sent in http header. For security reasons, the lifetime of access token is very short.

Sample Access Token : 1//04iGQnny2BEr-CgYIRAAGAQSNwF-L9IrPyxZ8840SE0MnwZeOkqXW21NBgT4YTmadS1q8Smqg9SFYmiuBzEDXN9VoDZxU8q3M
Refresh Token : Used to get a new access token from oAuth server when the existing one is expired. Refresh token has a longer life time. This token cannot be used to access the resources in resource server directly (like access token).

Sample Refresh Token : ya29.a0AfH6SMB4i8c43VmjYhdQ3tTksrh3EUVa6GwmQJzzSs0aggvTul0rpVqXS8H-qBPUFEMyE31USSMdtB3KQI6Wek6quNFh_2jV7l1D5l4vlbDyEwxJ-B7GlXMDyTy8BJD92cq9EFWTJRg87w7T0AWU_dcoJC3gGZs

So whenever coursera needs to access the Google Calendar, it should send the access token in header along with the http request to Google Server.

The scenario explaining the expired access token and accessing the resource is like below,

Google also provides an easy platform to understand and play with oAuth 2.0. It helps us to understand how exactly an oAuth authorization works.

Google Playground URL : https://developers.google.com/oauthplayground/

What is Serverless ?

    In the recent times after the tremendous evolution of cloud, I came across the word serverless / serverless computing / serverless architecture frequently. I was curious to know how an architecture does be named serverless and a computing be done without servers!! I got the answer when I was exploring about Cloud computing & learnt about AWS in recent times.

    Then I realized that Serverless is just a buzzword. It is not a technology or architecture. It just means that we do not care about infrastructure and manging servers. It is done by someone else for us. As simple as that!

Img Src : https://www.freelancinggig.com/

    Serverless computing is a dynamic execution model where the execution of the code is taken care by a cloud provider like Amazon AWS, Google Cloud, Microsoft Azure. The allocation of necessary server and resources are taken care automatically by the provider. The code is typically split into multiple functions and run inside the stateless containers. It’s because of this concept of split , sometimes serverless is referred as “Faas – Function as a service”. The major advantage is that we pay only for what we use.

    The evolution of serverless has started from the use of traditional on-premise servers, hiring remote server machines and then at last the containers.

    The developer will need to upload the code to the cloud and the provider takes care of the rest. The most fascinating thing which I have learnt recently regarding serverless is an offering from Amazon AWS - Lambda. It does a lot of magic & supports most of the commonly used programming languages.

Major advantages:

·       Cost efficient:

Pay only for what we use and nothing needs to be paid when the code is not executed (We just need to pay for any underlying resources used. E.g: Storage). Also, we pay per invocation call of the function, which is event driven.

·       High availability:

The availability is high & guaranteed since the code is put into the cloud. We can

take advantage of multiple availability zones / regions which is turn provides disaster recovery and so on.

·       Scalability:

Multiple instances of the function are created automatically when there is a need. Also, it is scaled down after a specific duration if the function is idle for a specific time.

·       No management of servers

No more worries about installing servers, configuring it, maintaining it, managing it with patches and so on.

    On a whole, we just write the code and it will be deployed & available for the end user in a matter of seconds! Serverless computing – it is just awesome!