What exactly is OAuth Open Authorization

Question

What exactly is OAuth  Open Authorization    I have gleaned some information from    OAuth Twitter Tutorial  What is OAuth And What It Means To You What is OAuth   But I want to learn and know more  I m looking for info on the lifecycle  Why do most of the social networks rely on this open protocol   Will it become a de facto in near future with the various technologies  e g  ASP NET

User · Answer

OAuth is all about delegating Authorization (choosing someone who can do Authorization for you). Note that Authentication and Authorization are different things. OAuth is Authorization (Access control), and if you want to implement Authentication (ID verification) also, OpenID protocol can be used on top of OAuth.

All big companies like Facebook, Google, Github,... use this kind of authentication/authorization nowadays. For example, I just signed in on this website using my Google account, this means Stackoverflow doesn't know my password, it receives the allowance from Google where my password (hashed obviously) is saved. This gives a lot of benefits, one of them is; In the near future you won't have to make several accounts on every website. One website (which you trust most) can be used to login to all other websites. So you'll only have to remember one password.

User · Answer

OAuth happened when we sign up SO account with Facebook  Google   button     Application  SO  redirecting user to the provider s authorization URL    Displaying a web page asking the user if he or she wishes to grant the application access to read and update their data   User agree to grant the application process   Service provider redirects user back to application  SO   passing authorization code as parameter  SO exchanges the code for an access grant     Source   OAuth1 service providers

User · Answer

OAuth is a protocol that is used from Resource Owner facebook  google  tweeter  microsoft live and so on  to provide a needed information  or to provide a permission for write success to third party system your site for example   Most likely without OAuth protocol the credentials should be available for the third part systems which will be inappropriate way of communication between those systems

User · Answer

Oauth is  definitely gaining momentum and becoming popular among enterprise APIs as well  In the app and data driven world  Enterprises are exposing APIs more and more to the outer world in line with Google  Facebook  twitter   With this development a 3 way triangle of authentication gets formed   1  API provider- Any enterprise which exposes their assets by API  say Amazon Target etc 2  Developer - The one who build mobile other apps over this APIs 3  The end user- The end user of the service provided by the - say registered guest users of Amazon  Now this develops a situation related to security -  I am listing few of these complexities  1  You as an end user wants to allow the developer to access APIs on behalf of you   2  The API provider has to authenticate the developer and the end user 3  The end user should be able to grant and revoke the permissions for the consent they have given 4  The developer can have varying level of trust with the API provider  in which the level of permissions given to her is different  The Oauth is an authorization framework which tries to solve the above mentioned problem in a standard way  With the prominence of APIs and Apps this problem will become more and more relevant and any standard which tries to solve it - be it ouath or any other - will be something to care about as an API provider developer and even end user

User · Answer

OAuth is an open standard for authorization  commonly used as a way for Internet users to log into third party websites using their Microsoft  Google  Facebook or Twitter accounts without exposing their password

User · Answer

What exactly is OAuth  Open Authorization     OAuth allows notifying a resource provider  e g  Facebook  that the resource owner  e g  you  grants permission to a third-party  e g  a Facebook Application  access to their information  e g  the list of your friends    If you read it stated as plainly  I would understand your confusion  So let s go with a concrete example  joining yet another social network   Say you have an existing GMail account  You decide to join LinkedIn  Adding all of your many  many friends manually is tiresome and error-prone  You might get fed up half-way or insert typos in their e-mail address for invitation  So you might be tempted not to create an account after all   Facing this situation  LinkedIn has the Good Idea TM  to write a program that adds your list of friends automatically because computers are far more efficient and effective at tiresome and error prone tasks  Since joining the network is now so easy  there is no way you would refuse such an offer  now would you   Without an API for exchanging this list of contacts  you would have to give LinkedIn the username and password to your GMail account  thereby giving them too much power   This is where OAuth comes in  If your GMail supports the OAuth protocol  then LinkedIn can ask you to authorize them to access your GMail list of contacts   OAuth allows for    Different access levels  read-only VS read-write  This allows you to grant access to your user list or a bi-directional access to automatically synchronize your new LinkedIn friends to your GMail contacts  Access granularity  you can decide to grant access to only your contact information  username  e-mail  date of birth  etc   or to your entire list of friends  calendar and what not  It allows you to manage access from the resource provider s application  If the third-party application does not provide mechanism for cancelling access  you would be stuck with them having access to your information  With OAuth  there is provision for revoking access at any time       Will it become a de facto  standard   in near future    Well  although OAuth is a significant step forward  it doesn t solve problems if people don t use it correctly  For instance  if a resource provider gives only a single read-write access level to all your resources at once and doesn t provide mechanism for managing access  then there is no point to it  In other words  OAuth is a framework to provide authorization functionality and not just authentication   In practice  it fits the social network model very well  It is especially popular for those social networks that want to allow third-party  plugins   This is an area where access to the resources is inherently necessary and is also inherently unreliable  i e  you have little or no quality control over those applications    I haven t seen so many other uses out in the wild  I mean  I don t know of an online financial advice firm that will access your bank records automatically  although it could technically be used that way

User · Answer

What is oAuth    OAuth is simply a secure authorization protocol that deals with the authorization of third party application to access the user data without exposing their password  eg   Login with fb  gPlus  twitter in many websites    all work under this protocol      Parties involved    The Protocol becomes easier when you know the involved parties  Basically there are three parties involved  oAuth Provider  oAuth Client and Owner    oAuth Client  Application Which wants to access your credential  oAuth Provider  eg  facebook  twitter     Owner  the person with facebook twitter   account        How It Works    I have supposed a scenario where a website stackoverflow  needs to add login with facebook feature  Thus facebook is oAuth Provider and the stackoverflow is oAuth Client    This step is done by app s developer  At the very beginning facebook  oAuth Provider  has no idea about the stackoverflow oAuth Client  because there is no link between them  So the very first step is to register stackoverflow with facebook developers site  This is done manually where developers need to give app s information to facebook like app s name  website  logo  redirect Url important one   Then stackoverflow is successfully registered  has got client Id  client secret etc from facebook and is up and running with OAUTH    2 Now when stackoverflow s user clicks login with fb button  Stackoverflow requests facebook with ClientId fb use it to recognize the client  and redirectUrl fb will return back to this url after success  Thus the user gets redirected to facebook login page  This is the best part user owner  is not giving thier facebook credential to stackoverflow         After Owner allow Stackoverflow to access the information  Then Facebook redirects back to stackoverflow  along with authcode using the redirectUrl provided at step 2   Then Stackoverflow contacts with facebook along with the obtained authcode to make sure everything is okay   Only then facebook will give access token to stackoverflow  Then access token is used by stackoverflow to retrive owner s information without using password  This is the whole motive of oAuth  where acutal credentails in never exposed to third party applications    For More   Quick video  Web link

User · Answer

OAuth Open Authorization  is an open standard for access granting deligation protocol  It used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords   It does not deal with authentication   Or    OAuth 2 0 is a protocol that allows a user to grant limited access to their resources on one site  to another site  without having to expose their credentials      Analogy 1  Many luxury cars today come with a valet key  It is a special key you give the parking attendant and unlike your regular key  will not allow the car to drive more than a mile or two  Some valet keys will not open the trunk  while others will block access to your onboard cell phone address book  Regardless of what restrictions the valet key imposes  the idea is very clever  You give someone limited access to your car with a special key  while using your regular key to unlock everything  src from auth0 Analogy 2  Assume  we want to fill an application form for a bank account  Here Oauth works as  instead of filling the form by applicant  bank can fill the form using Adhaar or passport     Here the following three entities are involved       Applicant i e  Owner   Bank Account is OAuth Client  they need information Adhaar Passport ID is OAuth Provider

User · Answer

Simply put OAuth is a way for applications to gain credentials to your information without directly getting your user login information to some website  For example if you write an application on your own website and want it to use data from a user s facebook account  you can use OAuth to get a token via a callback url and then use that token to make calls to the facebook API to get their use data until the token expires  Websites rely on it because it allows programmers to access their data without the user having to directly disclose their information and spread their credentials around online but still provide a level of protection to the data  Will it become the de facto method of authorization  Perhaps  it s been gaining a lot of support recently from Twitter  Facebook  and the likes where other programmers want to build applications around user data

[oauth] What exactly is OAuth (Open Authorization)?

Examples related to oauth