OAuth is an open standard for authorization of websites and applications. It provides these applications with a simple, secure way allow their users to access their data.
For example, let’s say you are a developer building an application. OAuth allows you to delegate the authorization. There are many websites and mobile applications that use Facebook or Google to authentication users. This is done through OAuth.
OAuth has many benefits. The framework does not use passwords in its authentication, which is useful as 3rd party applications do not need to store and protect passwords. Users can also revoke access easily.
The setup process for a website or application is something like as follows:
- The website needs to first register with the authorization service, e.g. Facebook. They provide information including what the app is and the URL it will route to once the authorization is complete. This is called the Callback URL.
- The authorization service, i.e. Facebook, will then provide the website with a Client ID and a Client Secret. The Client ID is a public id that tells Facebook which application is calling its authorization service. The Client Secret is a private secret that confirms the identity of the website application.
Once set up, the sequence of events from a user request is something like below:
- User goes to website and is presented with a login choice, e.g. login via Facebook. User selects this option.
- User is presented with a login screen from Facebook. User enters username and password. If the user has already authenticated via Facebook previously, the login will not be presented.
- User is presented with a screen that asks if you would like to grant permission to the website to access Facebook information. This amount of information can vary. The user accepts.
- Facebook sends an authorization code saying the user has granted access.
- The website now sends a request to get an access token to Facebook.
- Facebook returns this request with an access token for the user of the website. The token will be used to get specific data that the user granted permissions to above.
- The website now sends a request to Facebook to get the actual data. This includes the access token, so Facebook knows the request is legitimate.
- Facebook returns with the user’s specific data.
OAuth is now at version 2.0.