OAuth2 is a set of rules for communicating sessions between two websites. Think of OAuth2 as the same rules we use daily when we drive to work. Similar to how we all understand red means stop, green means go, and when you see a person crossing the street, most times, you stop. OAuth2 is similar, as it sets a standard that 2 websites can comprehend.
Generating the OAuth URL
To start, b.com must generate a URL and redirect the browser to begin the process of asking a.com for the users current session. This URL will contain the following:
- Client ID
- Redirect URL
- Grant Type
The client id tells a.com "hey it's me! b.com!", the redirect URL says "when you're done make sure to come back here", the state is in a sense a random string of letters and numbers that help link the whole thing once it comes back (like a session id for just the OAuth request), scope tells a.com what b.com needs to authenticate (ids? emails? etc.), and lastly the grant type tells a.com how b.com would like to deal with this transaction (most commonly a "code/token" grant).
Still following along? If not that's alright! OAuth can be pretty overwhelming, but when you break it down into chunks, it becomes really straightforward. You use OAuth nearly everyday and probably don't even notice!
B.com Asking A.com
The first step is for b.com to ask a.com for the session. This is done via the URL parameters with the components from above included in the query. It'll look something like this: a.com/authorize?client_id=123&redirect_url=b.com&state=rAnd0m123&grant_type=code&scope=id+email