OAuth A General Introduction

What is OAuth?

OAuth is a simple standard for simple API authentication. OAuth allows you to share your private resources (photos, videos, contact list, bank accounts) stored on one site with another site without having to hand out your username and password. There are many reasons why one should not share their private credentials. Giving your email account password to a social network site so they can look up your friends is the same thing as going to dinner and giving your ATM card and PIN code to the waiter when it’s time to pay. Any restaurant asking for your PIN code will go out of business, but when it comes to the web, users put themselves at risk sharing the same private information. OAuth to the rescue

 

What is new with OAuth?

OAuth has now been implemented across all Google Data APIs, quickly offering this young standard for easy mashups more market validation than it's ever had before.

It is a standard method of authenticating users across different services means that mashup builders need only write one authentication process, then apply it to all data sources that support the standard. That's hot and new, and it's now spreading faster around the web than we thought. 

Who is supporting OAuth?

 

Yes Google, Youtube data API, Drupal, Yahoo!!, Digg, jaiku, magnolia, Pownce, Plaxo, Flickr, FireEagle, and a long list ...... supports OAuth now.

Google's Support to OAuth...

As per announcement by google last week now OAuth support is available for all Google Data API's . So now youtube, contacts api, orkut, gmail api, calender api.... all supports OAuth which sounds awesome!!.



So now with google's full support OAuth is becoming huge and and it seems that an era with secure mash ups services is coming their way.

How OAuth works ??

Now this must be a big Question in everyone's mind how this OAuth thing actually works ...

There is a whole Draft written out for guidelines how OAuth works but here below I am showing it in an easy pictorial way its working and implementation to different platforms....

Some Terms :

Service Provider: Service Provider is the term used to describe the website or web-service where the restricted resources are located.Say a bank website or a photo sharing service like flickr.

USER : Users of web services like you and me.

Consumer : It is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web.Consumer is what who is getting permission to access resources on Service Provider on user's behalf.

Protected Resources: It is stuff of user which is shared with consumer. This could be photos from a photo sharing site or your bank account information to a third party site.

Tokens : Tokens are used instead of User credentials to access resources. A Token is generally a random string of letters and numbers (but not limited to) that is unique, hard to guess, and paired with a Secret to protect the Token from being abused. OAuth defines two different types of Tokens: Request and Access.

Steps Involved in OAuth's authentication process to finally access data :

Here above consumer registers with service provider and produces a pair of key and secret for itself. Both stores this information and Service Provider can use this information for varification purposes.

Here first time end-user or just user requests consumer to fetch data from Service Provider(Bank Or photo sharing site), so consumer constructs a proper oauth request for user using his/her key and secret (which are obtained by registering at service provider) and redirects user to service provider's website with consumer's request.

So here Service Provider asks user to grant access consumer to his/her data. Also permissions for data(read/ read+wri.) and kind of data consumer can have access to is confirmed. After granting access to consumer for requested data service provider issues a single use token and key pair which can be used by consumer later to obtain multi use token and secret pair(also known as access token and secret).

One very important point for service provider here is that it must tell user what kind of access consumer(like 3rd party web service using your data) have to his/her account such that no mis-use can happen with his/her data.

Here in this step consumer tries to get a multi use token using single-use token and secret pair which he obtained during request call to service provider. Now when consumer makes a request for multi use token using single use token service provider validates it against its stored values and signatures and issues consumer an another pair of time bound access token and secret for multiple calls to service provider. Now consumer can use this multi use ascess token to fetch user's data from service provider's website. The token and secret obtained during this process is time bound and will expire afer a specific period of time as specified by service provider. User can make multiple consumers to access his/her data from service provider's website by issuing multiple pair of access token and secret pairs.

So in above step consumer obtains user's resources.