Nikhil Vishnu

Understanding OAuth (Open Authorization)

OAuth (Open Authorization) is an open protocol that allows users to share their protected data under a service provider without sharing their username and password.

Let’s go deep by taking the example of twitter. If you have a twitter account and you want to tweet using a third party application, then that application must be authorised to send tweets. You have to give your username and password to the third party application for sending tweets from your account. Giving away your username and password to a third party is not a good practice. Yeah, you can spot some security vulnerabilities here.

OAuth is the new way of doing this. You can share your data under a service provider to a third party without sharing your username and password.  You can allow a third party application to access your twitter account. Then that application can send tweets and read updates without using your twitter username and password.

Working

Before understanding the OAuth workflow you must be familiar with the following terms. These terms are used in almost all OAuth tutorials.

Service Provider: A web application that allows access via OAuth.

User: An individual who has an account with the Service Provider.

Consumer: A website or application that uses OAuth to access the Service Provider on behalf of the User.

I’m dividing the whole process into three parts. The second part is doing the authorisation process and the process is divided into four steps.

Part 1

The initial step of registering the application is included in this part. First you have to create an application using any OAuth library. Then you have to setup your application (Consumer) in the Service Provider website.  This process will give you a consumer key and consumer secret key. These two keys are unique to your application, and the secret key must be kept securely.

OAuth authentication diagram

Part 2

Here the user is going to authorise the application. To the User this appears to be just clicking on a link. But several requests and responses are happening in the background. This authorisation process is divided into four steps.

Step1: User access the application. Application making an HTTP request to the Service Provider asking for a Request Token.

Step2: Service provider passing the request token and Request Token Secret key to the application. Application will create an authorisation link using the request token. The Request Token Secret key is used by the service provider to identify the consumer (application) . Link is then displayed to the user.

Step3: User authorises the application by clicking on the link. Service provider prompts the user to allow the application. If user allows then service provider redirect the user to the application using callback.

Step4:OAuth callback pass Access Token and Access Token Secret while redirecting to the application. The combination of these keys is used to access user account. So we can save these keys in a database for future use.

Auth authentication process detailed diagram

Part3

Using the user tokens we can start making requests to API. Before submitting each request OAuth system signs the request by taking the consumer and user tokens.

This is how the OAuth system works. Implementing OAuth using any programming language is the next step. I will explain this in another post.