Introduction to OAuth (in simple words)

Original author: Rob Sobers
Social networks are getting deeper and deeper into our lives. Often for many this is both a means of earning and the main tool of work. There are times when one site requires your personal information from another, for example, automatic posting on Twitter from Bitly. For such a process to take place, you must disclose your username and password from one resource to another. This is not the right way. True - they should use OAuth.

OAuth is an open authorization protocol that allows you to provide a third party with limited access to the user's protected resources without having to give her (a third party) a login and password.

This short guide illustrates how it is simpler to how OAuth works.

Members

OAuth transactions involve 3 key participants: user, consumer, and service provider. This triumvirate can be affectionately called the OAuth love triangle.

In our example, Joe is the user, Bitly is the consumer, and Twitter is the provider who controls Joe's secure resources (his feed). Joe wants Bitly to post shortened links to his feed. Here's how it works:

Step 1 - the user expresses a desire to

Joe (user) : "Hi, Bitly, I want you to post your links directly to my feed."

Bitly (Consumer): “No problem! I’ll go ask permission. ”

Step 2 - Consumer obtains Bitly permission

:“I have a user here who wants me to publish to his stream. May I have a request token? "

Twitter (provider): " Good. Here is a token and a secret word, don’t tell anyone. ”
The secret is used to prevent fake requests. The consumer uses it to sign each request, so that the supplier can verify that the requests are actually coming from the consumer application.

Step 3 - The user is redirected to the

Bitly service provider: “OK, Joe. I'll send you to Twitter, you need to confirm there. Take the token with you. ”
Joe: “I agree!”



Step 4 - the user gives permission to

Joe: “Twitter, I would like you to authorize this token, Bitly gave it to me.”

Twitter: “Okay, just to be sure, you want to let Bitly do this, this and that? "

Joe: " Yes! "

Twitter: “Well, you can tell Bitly that you can use the request token with it”

Twitter marks this token as confirmed, so that when the user asks for access, he will receive it (as long as he is signed by their common secret word).

Step 5 - The consumer receives the

Bitly access token: “Twitter, can I change the request token to the access token?”

Twitter:"Of course. Here’s your access token and secret word. ”
Step 6 - Consumer Access to

Bitly's Protected Resource: “Twitter, I would like to post a link to Joe’s feed. Here is my access token. ”

Twitter: “The token is valid. Done! ”

Conclusion

In our scenario, Joe did not have to share his Twitter account details with Bitly. He simply delegated access using OAuth in safe mode. At any time, Joe can log in to his Twitter account and review all the access that he has allowed and, if necessary, revoke any of them. OAuth allows you to split access at different levels. You can give Bitly the right to publish, but give read-only permission to LinkedIn.

OAuth is not perfect ... for now

OAuth is a powerful solution for web applications and is a huge improvement over regular HTTP authentication. However, there are certain limitations, particularly in OAuth 1.0.

OAuth 2.0 is a newer and safer version of the protocol, in which there are various "streams" of information for web, mobile and desktop applications. It also has the concept of token expiration (similar to cookies), works on top of SSL and reduces development complexity by taking on complex authentication procedures.

Additional Resources

I hope this was a good example that gave the concept of OAuth "in general terms." Therefore, the next time you see the "Sign in with Twitter" button or the like, you will have an idea of ​​what happens when you click it.

If you want to dive deeper into the mechanics of work, here are some useful links:
hueniverse.com/oauth
marktrapp.com/blog/2009/09/17/oauth-dummies
dev.twitter.com/docs/auth/oauth/faq
stackoverflow.com/questions/4113934/how-is-oauth-2-different-from-oauth-1
googlecodesamples.com/oauth_playground
www.justin.tv/hackertv/b/259433315

Also popular now: