OAuth: Secured Delegated access to Resources via Http Protocol.
In the next 5 minutes or less the above sentence will start making more sense.
For a minute, forget OAuth, imagine Summer Camps. Your child, let’s say Aaron, goes to this Summer camp from morning to evening. You are authorized to drop and pick him up. On a certain day, you are working late (building something cool like AI or self-driving cars), and so you request your friend Tina, to pick up Aaron from the camp.
Tina cannot just show up at the camp to pick up your kid as she is not authorized to do so. This is as per the security check they have in place so that the strangers don’t take advantage of such a thing. Easier option would be to just give Tina your ID card so that she can impersonate as you. I personally would not recommend it as a) It is not legal b) Tina may just use your identity to do “stuff” (Bad Tina).
To get Tina a proper authorization, you would have to call up the Camp Director and request that Tina be allowed to pick up your child on xx date. You will provide her a hand note (token). Tina can then use her ID card to validate her identity and present the note when she is picking up Aaron. Camp Teacher will contact Camp Director and confirm that Tina in fact is authorized for pick up. Aaron is released to Tina. Note, on any other day Tina cannot just go and pick up Aaron, as she was authorized only for that single day.
What just happened here is OAuth.
OAuth is granting temporary, limited, token-based access to a 3rd party to obtain resources.
Now let’s tweak the above scenario just a little and make it a real-life OAuth use case.
A 3rd party application wants to access your LinkedIn profile. Maybe this app is built to find you a suitable job match. Let’s switch the roles above to suit our new story.
Parent is now a Resource Owner (You)
Aaron (Child) is now a Resource (Your LinkedIn Data, Profile, Connections, etc.)
Tina (Friend) is now a 3rd party App (any custom 3rd party App, mobile or desktop)
Camp Director is now a OAuth Server (LinkedIn OAuth Server)
Camp Teacher is now a Resource Server (LinkedIn servers which owns and protects your data)
Note is now a Token (Series of alphanumeric letters)
What we have now is a set of OAuth Actors.
Replacing people with OAuth actors, we get the following.
Step by step OAuth actions:
- 3rd party App Requests LinkedIn OAuth server to give access to your records. It’s very important to note that a 3rd party application will not directly go to the LinkedIn server as it will not entertain any requests from a strange 3rd party application. All requests are first sent to an OAuth Server (LinkedIn will have its own OAuth server).
- OAuth server contacts the user by browsing him to the Login page
- User enters credentials (username, password) to authenticate his identity.
- A permissions form is presented, and the user is asked to grant certain permissions (release public profile, contacts, etc.)
- OAuth servers then provides a Token to the 3rd party App.
- 3rd Party App can now directly contact the LinkedIn Servers and present this token.
- Linked in Server has no idea if the Token is valid or not.
- LinkedIn Server send the Token to OAuth server to check its validity.
- If Token is valid, data is sent back to the 3rd party app.
You are using OAuth and probably don’t even know it.
OAuth is widely used by big companies such as Google, Facebook, LinkedIn, etc., to provide access to their resources. I am going to prove you that you already use OAuth and next time you see a consent form asking your permission to grant access, you would know that it is OAuth acting under the hood.
Facebook users will find the following screenshot very familiar. An App asks you to login with your credentials and then asks for you permission to get access to your data. While you are in a hurry to continue browsing, little do you realize that you are actually signing a little consent form. With or without your knowledge, you have been using OAuth all along.
I hope you got a basic idea about the role OAuth plays. If you’re looking for more than five minutes of IT help, get in touch with KTL Solutions. We can help you apply the right technology to improve your financial, customer service, and operational processes. Contact us to get support from one of our knowledgeable consultants.