What exactly is OAuth (Open Authorization)?

by

What exactly is OAuth (Open Authorization)?

OAuth allows notifying a resource provider (e.g. Facebook) that the resource owner (e.g. you) grants permission to a third-party (e.g. a Facebook Application) access to their information (e.g. the list of your friends).

If you read it stated plainly, I would understand your confusion. So let’s go with a concrete example: joining yet another social network!

Say you have an existing Gmail account. You decide to join LinkedIn. Adding all of your many, many friends manually is tiresome and error-prone. You might get fed up halfway or insert typos in their e-mail address for the invitation. So you might be tempted not to create an account after all.

Facing this situation, LinkedIn™ has the good idea to write a program that adds your list of friends automatically because computers are far more efficient and effective at tiresome and error-prone tasks. Since joining the network is now so easy, there is no way you would refuse such an offer, now would you?

Without an API for exchanging this list of contacts, you would have to give LinkedIn the username and password to your Gmail account, thereby giving them too much power.

This is where OAuth comes in. If your GMail supports the OAuth protocol, then LinkedIn can ask you to authorize them to access your Gmail list of contacts.

OAuth allows for:

  1. Different access levels: read-only VS read-write. This allows you to grant access to your user list or bi-directional access to automatically synchronize your new LinkedIn friends to your Gmail contacts.
  2. Access granularity: you can decide to grant access to only your contact information (username, e-mail, date of birth, etc.) or to your entire list of friends, calendar and whatnot.
  3. It allows you to manage access from the resource provider’s application. If the third-party application does not provide a mechanism for canceling access, you would be stuck with them having access to your information. With OAuth, there is a provision for revoking access at any time.

Will it become a de facto (standard?) in near future?

Well, although OAuth is a significant step forward, it doesn’t solve problems if people don’t use it correctly. For instance, if a resource provider gives only a single read-write access level to all your resources at once and doesn’t provide a mechanism for managing access, then there is no point to it. In other words, OAuth is a framework to provide authorization functionality and not just authentication.

In practice, it fits the social network model very well. It is especially popular for those social networks that want to allow third-party “plugins”. This is an area where access to the resources is inherently necessary and is also inherently unreliable (i.e. you have little or no quality control over those applications).

I haven’t seen so many other uses out in the wild. I mean, I don’t know of an online financial advisory firm that will access your bank records automatically, although it could technically be used that way.

More Related Contents:

  1. Get user info via Google API
  2. How is OAuth 2 different from OAuth 1?
  3. Can I really not ship open source with Client ID? [closed]
  4. How to validate an OAuth 2.0 access token for a resource server?
  5. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  6. Why do access tokens expire?
  7. What is the OAuth 2.0 Bearer Token exactly?
  8. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  9. OAuth 2.0: Benefits and use cases — why?
  10. What is the purpose of the implicit grant authorization type in OAuth 2?
  11. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  12. Spring OAuth redirect_uri not using https
  13. Disable checkboxes on Google consent screen
  14. How to change Google consent screen email?
  15. Twitter API – Logout
  16. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  17. OAuth 2.0 with Google Analytics API v3
  18. gapi.auth.signOut(); not working I’m lost
  19. Google API OAuth2, Service Account, “error” : “invalid_grant”
  20. LinkedIn OAuth2: “Unable to verify access token”
  21. Netsuite OAuth Not Working
  22. OAuth Authorization vs Authentication
  23. Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)
  24. What’s the difference between OpenID and OAuth?
  25. Curl error 60, SSL certificate issue: self signed certificate in certificate chain
  26. Twitter oAuth callbackUrl – localhost development
  27. Is there any JSON Web Token (JWT) example in C#?
  28. Having problems while try to install OAUTH with PECL in MAMP on mac OS lion
  29. Oauth implementation in netsuite using php
  30. facebook connect- $user_id = $facebook->getUser(); always returning 0 [duplicate]

Leave a Comment