Metaphor of the Hotel
FleetingTo ease explaining OAuth 2.0, people use this metaphor.
- the hotel receptionist is the authorization server, per check you id card and give you an opaque key,
- you are the bearer of the key, you cannot (should not) take a look at the information inside it,
- the hotel is the resource server, it gives access to some spaces when being presented the key,
- it does not care about who has the key, as long as the key is there,
- it does not care about some concept of end user. It just gives access to some space (see resource server does not need to know about the resource owner)
- the hotel door is the API endpoint or some specific storage behind the API endpoint,
- after some time, the key expires and gives access to nothing,
- the hotel is the ONLY entity you communicate with to provide you with some keys. It is also the only person that validates authorization based on prior discussion with you to check your consent,
Notes linking here
- How to Hack OAuth
- OAUTH 2.1 expliqué simplement (même si tu n’es pas dev)
- OAuth and OpenID Connect in Plain English
- Protecting Your APIs with OAuth