OAuth Adds Extra Security Layer to MFT

We’ve all received these messages, “Allow this application to access your account,” or “Sign in with Facebook,” when navigating online. That’s OAuth, or Open Authorization, and this step is often encountered when using Google, X, or Facebook among other services. OAuth blends security and convenience when needing to share authorization data between two different applications.

Instead of the more familiar, basic authentication – the username/password combo – OAuth applies limited use tokens to both authenticate and access secure aspects of applications and service providers. Any number of applications or cloud services, including Managed File Transfer (MFT) solutions, can take advantage of this extra layer of modern security, and convenience.

• Security is added. OAuth allows one application to sign into another application without requiring identifying information, such as usernames and passwords. OAuth can verify your identity without involving your identity and can do so on a limited or defined basis.

Rather than requiring username/password credentials, OAuth uses authorization tokens to represent your identity and uses access tokens to define and grant access to some of your data and any actions allowed to be performed with that server. These OAuth tokens for authorization and access are not unlimited, however. The protocol can specify exactly what data the third party can access and define what a client can do on the user's behalf. For example, you can restrict access for a user to only certain data sets or configure read-only or write-only permissions for that user.

And, because the tokens for authorization and access are protected between the application and the service providers, passwords can’t be compromised, even if the service or application you want to access is threatened.

• Convenience is added. OAuth eliminates the need to continually create new accounts or new user credentials to connect with multiple applications or services. Temporary authorization is granted so that users can more easily access secure portions of a given application or service.

In a nutshell, OAuth lets two different applications share the data needed to let you use them without the need to reveal your access credentials. The authorization token is what is used to validate who you are to the OAuth provider (Facebook, Microsoft, etc.) The access token is used to let the provider determine what access is granted within their server you are allowed in to.

How OAuth is Used in Managed File Transfer Solutions

MFT solutions, such as Fortra’s GoAnywhere MFT, that adhere to the most modern security recommendations, can also take advantage of OAuth’s ability to let third-party services exchange user authorization data without the need to actually share credentials. And, through GoAnywhere’s workflows, this process is automated, with users not having to acknowledge or respond to all the prompts of OAuth that they would if working outside of MFT.

Within GoAnywhere, when an authorization token is needed, instead of getting redirected to Microsoft Azure Directory to log in, the client can send the provider the needed credentials to authenticate automatically and be provided with the authorization token. As long as the authentication is successful, GoAnywhere can proceed with the authentication without direct intervention from the user.

GoAnywhere then uses this authorization token to automatically request a separate access token that can give them access to multiple Microsoft services. That access token is what GoAnywhere then provides to Microsoft whenever a user wants to do something such as create a SharePoint site or upload a file via GoAnywhere to be transferred.

Whether client applications utilize OAuth by redirecting you to a login page to authenticate or by handling the process automatically behind the scenes, OAuth offers significant security and configurability benefits. It enables users to grant precise permissions to the client application, ensuring that only the required data and privileges are accessed.

This flexibility allows applications to securely manage access based on user consent, whether through an interactive authorization flow or automated server-to-server interactions. By clearly defining and controlling what data and actions an application can access, OAuth enhances overall security and user trust, making it a versatile solution for a wide range of authentication and authorization needs.

OAuth in GoAnywhere’s SaaS or Cloud Environment

OAuth can be particularly useful in situations such as when you need to automate sending an email, either as part of a scheduled job or an automated alert, from a Microsoft 365 account, where authenticating via Microsoft OAuth v2.0 is required to send the email via the SMTP protocol.

GoAnywhere’s Cloud Connector library includes a connector for Microsoft OAuth that users can integrate into their workflows. This connector is responsible for getting the desired access token from Microsoft that can then be used by either the SharePoint Cloud Connector or by the solution’s Email tasks when users need to generate a token for the IMAP or SMTP protocol.

OAuth is also incorporated through GoAnywhere’s global SMTP alert settings. If an event occurs that the customer wants to notify specific admin users about, GoAnywhere can send an automated email describing the alert. Users can then use OAuth to authenticate for the SMTP session used to send the email.

How MFT Users can Benefit from OAuth

First, the added security gained when the need to store user credentials with the MFT solution helps reduce the likelihood of credentials being stolen or tampered with.

Plus, the additional convenience that allows users to use their existing credentials from the OAuth provider helps reduce the need to maintain a variety of separate credentials when using the MFT solution.

One of the additional advantages is the ability to have more granular control over permissions and over what material can be accessed with those permissions. This granular control over what material can be accessed is managed on the side of the provider (Microsoft, Google, etc.), which an MFT solution would not otherwise be privy to.

In addition, often the alternative to OAuth is Basic Authentication, where a user would simply just provide a username and password, which is less secure, or SAML (Security Assertion Markup Language), an authentication protocol used in enterprise settings. OAuth is another option to give users flexibility to choose what is beneficial for them based on their specific use case.  With GoAnywhere, the OAuth process is automated to help ensure the security benefits are applied consistently.