OAuth is a delegated authorization standard that specifies how to share information between two third-party services without having to ask for the user’s credentials.
Getting familiar with OAuth is not at all easy for someone starting in the security field. One of the reasons I see is that the spec uses non-familiar terminologies.
In this tutorial I’m trying to explain to you the most used terminologies in plain English.
It’s all information that define a user in a particular application. Let’s see some examples.
On Facebook, the digital identity for a user might be their name, email or phone number, image profile, relationship status… On a book seller platform digital identity is credit card info, shipping address…
Resource Owner (You, the user):
the owner of the identity
The application (e.g. “theFastFood.com”) that wants to access data or perform actions on behalf of the Resource Owner.
The application that knows the Resource Owner, where they already have an account.
The API or service the Client wants to use on behalf of the Resource Owner.
limit what an application can do on the behalf of a user.
the authorization server takes the scopes the client is requesting and verifies with the resource owner whether or not they want to give the client permission.
The key the client will use to communicate with the resource server. You may compare it to a badge or key card that gives the client permission to request data or perform actions with the resource server on your behalf.