What is OAuth?

What is OAuth

OAuth is an open security protocol for token-based authorization and authentication on the Internet. Third-party web services can access external resources without disclosing usernames and passwords. Services from Google, Facebook, or Twitter use OAuth.

What is OAuth?

The acronym OAuth stands for Open Authorization and is an open protocol that enables secure authorization of web services or mobile applications without having to expose passwords to third-party vendors. The protocol uses token-based authorization and authentication. The process for obtaining a token is called flow.

Using Open Authorization, a user can allow a third-party application to access data stored at another service. No secret details of the access authorization need to be disclosed to the third-party application. The first version of Open Authorization was developed in 2006 and 2007, with contributors including Google, Yahoo, and Twitter.

The specification of Open Authorization 1.0 is published in RFC 5849. In 2009, a security vulnerability was discovered in the protocol. The Open Authorization 2.0 framework was approved in 2012 in RFC 6749. OAuth 2.0 is not backward compatible with version 1.0.

The different roles in OAuth

Open Authorization recognizes a total of four different roles. These roles are:

  • Resource Owner
  • Resource Server
  • The Client
  • The Authorization Server
READ:  What is Security by Design?

The Resource Owner is the user who wants to allow third party access to his resources. The protected resources of the user are stored on the resource server. The Resource Server can grant access to the resources to others using tokens. The client is the third-party provider trying to gain access to the protected resources.

The client itself can be a web application, a mobile app, or an application on a desktop computer. Finally, the Authorization Server is responsible for authenticating the user and issuing the access tokens. Often, the Authorization Server and Resource Server are run together on the same platform.

Typical use case and authorization process with OAuth

A typical use case for Open Authorization might look like this: A user wants to grant a third-party service B access to his documents stored on web service A. The documents are stored on the resource server.

Since the services are different, third-party B needs to authorize itself to web service A in order to gain access. However, the user does not want to provide his username and password for web service A to third-party service B. In this case, OAuth allows third-party provider B to gain access based on an authorization token.

All the user has to do is confirm to Web service A that third-party provider B is allowed to access certain resources.

READ:  What is A Buffer Overflow?

In simplified terms, the authorization process proceeds in these steps:

  1. The user is redirected from the page of third-party provider b to web service a with a link for file sharing, where he must log in.
  2. The user is informed that third-party provider b wants to access certain documents.
  3. The user agrees and the web service creates an authorization token. 4.
  4. Web service a communicates this authorization token to third-party service b. 5.
  5. At the same time, the user is redirected back to the page of third-party provider b. 6.
  6. Third-party provider B now requests the token from Web service A and obtains access to the documents.