How we connected OAuth 2.0 authorization, what it is and how it works
Caring for their customers, the Invola service team implemented a direct connection to the mail using OAuth 2.0 technology.
In this article we will explain what it is, how it works and how it affects the security of user data.
We omit a number of technical issues, bringing the essence of technology in a simple and understandable language for ordinary users.
Regular users of the service know how sometimes it was inconvenient to use duplicate email , often forgetting to send another letter to it. We received letters requesting a review of the algorithm for receiving invoices and commercials in favor of a direct connection to the mail.
')
After a couple of weeks of fruitful work by a programmer and a security specialist, the authorization algorithm has been implemented and is now the main way to connect clients to the service.
What is OAuth?
Speaking in a dry technical language, this is an authorization protocol that allows you to give one service (in this case, Invola) the right to access user resources on another service (access to mail).
The user has more reason to trust the application, since the user can be sure that unauthorized access to his personal data is impossible. Without owning the user's login and password, the application will be able to perform only those actions with the data that the user has authorized , and no other.
Simply put, you can say this: the Invola service connects to your email to receive bills and offers, without requiring a login and password, but requesting the right of access. If you confirm - the application gets access until it is recalled by the user, or until the application exists and is active at all.
Briefly, the principle of OAuth authorization in conjunction with Invola is shown in the picture below.
The communication between Invola and the mail server uses the access token access token (step 4-5), which automatically becomes obsolete after one hour and is updated as necessary (automatically, without user intervention, by Invola software).
Now let's talk about security, and why OAuth authorization is preferable to login-password .
When you provide any service with a username and password to access your account (mail.ru, gmail.com), you actually provide a password for the entire account (this way you can access, for example, a disk, photo albums and other personal data).
By providing access through OAuth, you yourself control which resources of the account you give access to . Consider an example of the rights requested when connecting to Invola:
" View and manage mail " - to automatically receive invoices and KP, " view address " - to get the email address of the mailbox, " view profile " - to get the user name (required at the registration stage).
Unfortunately, not all mail servers (including corporate ones) support OAuth authentication , in particular, the popular Yandex.Mail service. If your mail is on Yandex, you can only connect to our service at the moment using your login password.
A little about security .
We understand very well how critical the leakage of confidential data or unauthorized access to customer data, financial transactions, personal correspondence is to business. Data security is one of our top priorities .
Access tokens, as well as e-mail access passwords, are stored on a secure, dedicated database server using a cryptographic scheme based on dynamic keys.
As a result, it is worth noting that our employees do not have access to mail servers and correspondence of our users under any circumstances.
All communications between the user and the service, as well as between the service and the mail server are carried out over a secure SSL channel , in other words, all transmitted data in both directions is encrypted using a strong cryptographic algorithm.
- If you have a business, you send a lot of bills and offers to your customers, then you simply must try our system. Invola sends automatic alerts if there is no response to the account, and also monitors the reaction of your customers to the accounts (expensive, long delivery time, etc.). As a result, you get an increase in the share of paid bills , and also have the opportunity to collect statistics on the performance of your managers, frequent reasons for refusals.
Sign up now , set up in 5 minutes and work for free for a month.
In this article we will explain what it is, how it works and how it affects the security of user data.
We omit a number of technical issues, bringing the essence of technology in a simple and understandable language for ordinary users.
Regular users of the service know how sometimes it was inconvenient to use duplicate email , often forgetting to send another letter to it. We received letters requesting a review of the algorithm for receiving invoices and commercials in favor of a direct connection to the mail.
')
After a couple of weeks of fruitful work by a programmer and a security specialist, the authorization algorithm has been implemented and is now the main way to connect clients to the service.
What is OAuth?
Speaking in a dry technical language, this is an authorization protocol that allows you to give one service (in this case, Invola) the right to access user resources on another service (access to mail).
The user has more reason to trust the application, since the user can be sure that unauthorized access to his personal data is impossible. Without owning the user's login and password, the application will be able to perform only those actions with the data that the user has authorized , and no other.
Simply put, you can say this: the Invola service connects to your email to receive bills and offers, without requiring a login and password, but requesting the right of access. If you confirm - the application gets access until it is recalled by the user, or until the application exists and is active at all.
Briefly, the principle of OAuth authorization in conjunction with Invola is shown in the picture below.
The communication between Invola and the mail server uses the access token access token (step 4-5), which automatically becomes obsolete after one hour and is updated as necessary (automatically, without user intervention, by Invola software).
Now let's talk about security, and why OAuth authorization is preferable to login-password .
When you provide any service with a username and password to access your account (mail.ru, gmail.com), you actually provide a password for the entire account (this way you can access, for example, a disk, photo albums and other personal data).
By providing access through OAuth, you yourself control which resources of the account you give access to . Consider an example of the rights requested when connecting to Invola:
" View and manage mail " - to automatically receive invoices and KP, " view address " - to get the email address of the mailbox, " view profile " - to get the user name (required at the registration stage).
Unfortunately, not all mail servers (including corporate ones) support OAuth authentication , in particular, the popular Yandex.Mail service. If your mail is on Yandex, you can only connect to our service at the moment using your login password.
A little about security .
We understand very well how critical the leakage of confidential data or unauthorized access to customer data, financial transactions, personal correspondence is to business. Data security is one of our top priorities .
Access tokens, as well as e-mail access passwords, are stored on a secure, dedicated database server using a cryptographic scheme based on dynamic keys.
As a result, it is worth noting that our employees do not have access to mail servers and correspondence of our users under any circumstances.
All communications between the user and the service, as well as between the service and the mail server are carried out over a secure SSL channel , in other words, all transmitted data in both directions is encrypted using a strong cryptographic algorithm.
- If you have a business, you send a lot of bills and offers to your customers, then you simply must try our system. Invola sends automatic alerts if there is no response to the account, and also monitors the reaction of your customers to the accounts (expensive, long delivery time, etc.). As a result, you get an increase in the share of paid bills , and also have the opportunity to collect statistics on the performance of your managers, frequent reasons for refusals.
Sign up now , set up in 5 minutes and work for free for a month.
Source: https://habr.com/ru/post/296258/
All Articles