OAuth Basics

This sure looks like a Branded Car Logo . . . Isn't it.

OAuth - Open Authentication

I love Valet key example. Many luxury cars come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will only allow the car to be driven a short distance while blocking access to the trunk and the onboard cell phone. Regardless of the restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using another key to unlock everything else.

In this example, original Key is the original credentials, with which the third party can do anything and everything. Valet key is a temporary credentials with which third party user can do a designated task only with in a short span of time.

Lets look at different roles in OAuth.

• Resource Owner - The one holds the account and credentials. Typically a User can be considered as a Resource Owner.
• Client - The third party app/service who want to use resources of Resource Owner / User.
• Server - The party with which Resource Owner holds an Account.

To understand the roles better, let me give you a better example.

I logged into "youtube.com", watched a video, to be specific "Expendables2 Trailer". Liked it and want to share it on Facebook with my friends.

Clicked the share button at bottom of video on Youtube and this is what i see.

Clicking on the FB button, I will get a window asking for Facebook credentials.

Once i gave my credentials, I will be redirected another widow where i can modify the content and publish it on my Facebook wall.

Now re-look at the roles and see who is who.

• Resource Owner - Its me, holding the account with Facebook.
• Client -  Youtube.com is the client from which i want to utilize the service.
• Server - Facebook with which I am holding the account.

What happened behind the scene? and Where does OAuth came into picture?

We need to consider two facts here:

• #1. Due to security reasons, Facebook doesn't want to share the actual user credentials with any other third party.
• #2. Without any authentication, Youtube cannot publish a video on my Facebook wall.

In this kind of scenario, OAuth will come into picture. 

• When I try to share the video from YouTube, it will redirect me to Facebook 
• I will authenticate to Facebook server and Facebook being OAuth enabled, its API will supply a temporary security token with limited scope of access which is valid for a short period of time.
• Using this security token, YouTube will publish the Video on fb wall on my behalf.

OAuth represents the combined wisdom of many proprietary industry protocols, such as Google AuthSub, Yahoo BBAuth, and Flickr API.

The current version of OAuth is 2.0 which we will discuss briefly in next post.

Hope this helped in getting a basic know-how's of OAuth. 

Is it helpful for you? Kindly let me know your comments / questions.