What exactly is OAuth (Open Authorization)?

Question

What exactly is OAuth (Open Authorization)?

I have gleaned some information from

• OAuth
• Twitter Tutorial: What is OAuth And What It Means To Y

Answer 1

OAuth is all about delegating Authorization (choosing someone who can do Authorization for you). Note that Authentication and Authorization are different things. OAuth is Authorization (Access control), and if you want to implement Authentication (ID verification) also, OpenID protocol can be used on top of OAuth.

All big companies like Facebook, Google, Github,... use this kind of authentication/authorization nowadays. For example, I just signed in on this website using my Google account, this means Stackoverflow doesn't know my password, it receives the allowance from Google where my password (hashed obviously) is saved. This gives a lot of benefits, one of them is; In the near future you won't have to make several accounts on every website. One website (which you trust most) can be used to login to all other websites. So you'll only have to remember one password.

Answer 2

OAuth happened when we sign up SO account with Facebook/ Google button.

1. Application (SO) redirecting user to the provider's authorization URL. ( Displaying a web page asking the user if he or she wishes to grant the application access to read and update their data).
2. User agree to grant the application process.
3. Service provider redirects user back to application (SO), passing authorization code as parameter.
4. SO exchanges the code for an access grant.

Source : OAuth1 service providers

Answer 3

OAuth(Open Authorization) is an open standard for access granting/deligation protocol. It used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. It does not deal with authentication.

Or

OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.

• Analogy 1: Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything. src from auth0

• Analogy 2: Assume, we want to fill an application form for a bank account. Here Oauth works as, instead of filling the form by applicant, bank can fill the form using Adhaar or passport.

  Here the following three entities are involved:

  1. Applicant i.e. Owner
  2. Bank Account is OAuth Client, they need information
  3. Adhaar/Passport ID is OAuth Provider

Answer 4

OAuth is a protocol that is used from Resource Owner(facebook, google, tweeter, microsoft live and so on) to provide a needed information, or to provide a permission for write success to third party system(your site for example). Most likely without OAuth protocol the credentials should be available for the third part systems which will be inappropriate way of communication between those systems.

Answer 5

What is oAuth?

OAuth is simply a secure authorization protocol that deals with the authorization of third party application to access the user data without exposing their password. eg. (Login with fb, gPlus, twitter in many websites..) all work under this protocol.

Parties involved

The Protocol becomes easier when you know the involved parties. Basically there are three parties involved: oAuth Provider, oAuth Client and Owner.

• oAuth Client (Application Which wants to access your credential)
• oAuth Provider (eg. facebook, twitter...)
• Owner (the person with facebook,twitter.. account )

How It Works?

I have supposed a scenario where a website(stackoverflow) needs to add login with facebook feature. Thus facebook is oAuth Provider and the stackoverflow is oAuth Client.

1. This step is done by app's developer. At the very beginning facebook (oAuth Provider) has no idea about the stackoverflow(oAuth Client) because there is no link between them. So the very first step is to register stackoverflow with facebook developers site. This is done manually where developers need to give app's information to facebook like app's name, website, logo, redirect Url(important one). Then stackoverflow is successfully registered, has got client Id, client secret etc from facebook and is up and running with OAUTH.

   2.Now when stackoverflow's user clicks login with fb button. Stackoverflow requests facebook with ClientId(fb use it to recognize the client) and redirectUrl(fb will return back to this url after success).Thus the user gets redirected to facebook login page. This is the best part user(owner) is not giving thier facebook credential to stackoverflow.

3. After Owner allow Stackoverflow to access the information. Then Facebook redirects back to stackoverflow, along with authcode using the redirectUrl provided at step 2.
4. Then Stackoverflow contacts with facebook along with the obtained authcode to make sure everything is okay.
5. Only then facebook will give access token to stackoverflow. Then access token is used by stackoverflow to retrive owner's information without using password. This is the whole motive of oAuth, where acutal credentails in never exposed to third party applications.

For More:

Quick video

Web link

Answer 6

OAuth is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Microsoft, Google, Facebook or Twitter accounts without exposing their password.