OAuth: Key points to remember for the exam
- OAuth stands for Open Authorization and is a widely-used framework for secure third party delegated authorization.
- Initially released in the year 2010, OAuth is a standard authorization protocol that allows websites or services to share assets amongst common users.
- OAuth is an open standard that solves the problem where unrelated servers and services can safely allow authenticated access to their assets without actually sharing the underlying login credentials.
- Some of the tech giants already using OAuth technology widely are Facebook, Instagram, Amazon, LinkedIn, Microsoft, Netflix, Paypal etc.
- OAuth mechanism does not share the actual password data with the requesting resource. It rather shares only authorization tokens to prove an identity between consumers and service providers.
- OAuth is only about authorization and not related to authentication. This is because OAuth technology does not pass any authentication information between the requesting service and the service provider. Rather it just passes on an authorization token for allowing access as a proof of identity.
OAuth Workflow with Example:
A user wants to access a website, say Quora for reading some article. Without the invention of OAuth, the website would have given the user an option to create a user login into the Quora database. This would mean that the user will register on Quora using his email and password. Once the user ID is created, the user may now use his Quora ID or email ID as user name and the password he used to create the account to access the website and read any resources available on that website.
Now imaging, another case commonly found in today’s web applications. You go to any website, say Quora, for accessing an article. This time though instead of just limiting you to register on their website using email ID and password, they gave a few more options, like login with Facebook or Google. What does that mean?
Let’s try and find out.
Well, this means that Quora is now using OAuth to allow you delegated access on behalf of authentication confirmation from Facebook/Google. When you select log in with Google, it opens a popup window from Google asking you to authenticate into google. Once authenticated, it asks if you want to authorize access to Quora via Google. If yes, the user can now access Quora successfully.
Benefits of OAuth
- OAuth helps the users navigate multiple web resources using delegated authorization from a service provider. Hence, they don’t need to register on every website with separate credentials.
- As the same set of access credentials can be used across websites, users do not need to remember and maintain multiple login details, which otherwise they usually write somewhere in order to remember. This overtakes the basic principle of security where passwords should not be written anywhere.
- The last but most important benefit to note is that, your credentials used for authentication and authorization to a third party are not compromised even in case the third party website gets hacked or suffers a data breach. As the third party eg Facebook, provided only an OAuth token to the requesting party i.e. Quora, and not the actual Facebook credentials.