Oauth 2.0 Protocol, driving authentication across the web
OAuth 2.0 in nutshell – “Solving complexity with simplicity”, its done.
You still here? Okay, let’s discuss what does it mean in a broader sense.
It is a well known proverb- “Necessity is mother of invention”. Same follows for Oauth. Let’s see how…
It is a well known proverb- “Necessity is mother of invention”. Same follows for Oauth. Let’s see how…
Our Necessity
Someone made a web site “X” that gone viral and now the site owner wants to make API to expose data of site to be used by developers to integrate various functionality in their 3rd party app “Y” (be it mobile or desktop or something else you can think of…) or it could be simple like making an app based on data accessed from the site.
Now there is a registered user of site “X” and wants to access app “Y”.
In the olden golden days this registered user have to provide both username and password to app “Y”, which cause two very important issues:
1. It causes a security risk to registered user as he have to provide username and password to third party application.
2. If there are n numbers of applications alike app “Y” and someday registered user changed his password, he have to change his password across all the n apps, which causes a serious maintenance issue.
Someone made a web site “X” that gone viral and now the site owner wants to make API to expose data of site to be used by developers to integrate various functionality in their 3rd party app “Y” (be it mobile or desktop or something else you can think of…) or it could be simple like making an app based on data accessed from the site.
Now there is a registered user of site “X” and wants to access app “Y”.
In the olden golden days this registered user have to provide both username and password to app “Y”, which cause two very important issues:
1. It causes a security risk to registered user as he have to provide username and password to third party application.
2. If there are n numbers of applications alike app “Y” and someday registered user changed his password, he have to change his password across all the n apps, which causes a serious maintenance issue.
Invention
With time, many big players rolled out their own proprietary ways to provide access and to maintain authenticity of third party apps. But the differences always create pains (like IE have proved it when it comes to web development).
Then, Oauth came into picture, it’s an open-standards protocol which helps to solve above stated problems. Oauth uses tokens in place of username and password. Let’s see how it works…OAuth in action
The below ASCII Art says it all:
# +--------+ +---------------+ # | |--(A)- Authorization Request ->| Resource | # | | | Owner | # | |<-(B)-- Authorization Grant ---| | # | | +---------------+ # | | +---------------+ # | |--(C)-- Authorization Grant -->| Authorization | # | Client | | Server | # | |<-(D)----- Access Token -------| | # | | +---------------+ # | | +---------------+ # | |--(E)----- Access Token ------>| Resource | # | | | Server | # | |<-(F)--- Protected Resource ---| | # +--------+ +---------------+ # # Read the full spec at http://tools.ietf.org/html/rfc6749
What’s next
Most of the players like Google, Tumblr, Twitter and Facebook are using Oauth. The best place to try hands on is Google Oauth Playground, Go ahead and make the web a better place !!
Keep Rocking !!