Aren’t we all, to some extent, too lazy to create accounts with every single website? Don’t we all just want to get it over with and buy what we love before an offer expires on Amazon?
Let me give you an example. Say you want to purchase your favorite brand T shirt from a website XYZ. Now after you are done with the whole long process of selecting the T-shirt, adding it to the cart and finally, OH finally, you reach the checkout to make the payment. After all this hectic process, what if the website stops you right there and asks you to first create an account with it before proceeding any further? And to create an account you have to probably give your entire life history and your interests or a lot of unnecessary details. The worst part is setting up a new password and remembering it. Wouldn’t it have been easier if you could just log in with some other existing account of yours anywhere else on the web, say Facebook? Or Google?
Enter OAuth. It's an amazing concept that helps make this process a breeze. But not just that.
Now what is OAuth? How is it even pronounced??
Well Oh-Auth is an authorization protocol that helps users log-in to third party websites using their Google, Facebook, Microsoft, Twitter, etc. accounts without exposing their password and having to create new personalized accounts with a different set of passwords. Doing so, they can also give access to their information on these providers to the requesting website after granting suitable permissions. And many times people, maybe including you, have a tendency to use their bank account password for other websites. Now with OAuth you don’t have to worry about that. Isn’t that convenient?
How does it help?
OAuth has tons of advantages. One of them being not having to create a new account with every website. Also, it lets you give access to your details on another website without you having to share your identity!
This concept has three main parties involved.
- OAuth Client
Application that wants to access the credentials. In this case XYZ.
- OAuth/Resource Provider
Providers like Facebook, Google, Twitter, Microsoft, LinkedIn etc.
- Resource Owner
End User, that’s us!!!
So now you get the picture? OAuth acts as a mediator by notifying the Resource Provider that the Resource Owner (e.g. you) grants permission to an OAuth Client (say website xyz) access to their information (e.g. the list of your friends).
How does it work?
OAuth generates a token via a callback URL which can then be used to make calls to the External Provider’s API (e.g. Facebook, Google etc.) to get the user data until the token expires. After authorizing user with the provider and adequate permissions, user is redirected to the client app through the redirect URL adding an authorization code to the URL. Now the user is logged in and sent back to the client website and uses the access token to gain access to the user’s protected resources.
Alright!! Now how do you make an application use OAuth?
Well first things first! Register your app with the OAuth Provider. It’s easy. A few simple steps and you are good to go!
Let’s see the example for registering apps with Facebook.
Go to the Facebook Developers Link: https://developers.facebook.com/apps/
Go to My Apps --> Add New App
The next step is retrieving the App Id and App Secret that Facebook or whichever Resource Provider provides you with. This info is unique for an application and stored in the respective Startup File in your application code. Now when Facebook gets an access permission request from your website, it authenticates against this info.
That’s it! OAuth can do much more than just retrieving a user’s basic information as well. It’s amazing, the features OAuth provides and luckily I had the opportunity to work with it at my internship at Exsilio Solutions, Irvine and that involved gathering many application specific details of the user from many different OAuth providers. The app can be programmed in a way to extract only certain specific information like the birthday or the gender and much more.
So there you go! That’s OAuth in a nutshell!
By: Aswathy Radhakrishnan Nair (Intern at Exsilio)