Click here to Skip to main content
65,938 articles
CodeProject is changing. Read more.
Articles / OAuth

OAuth Basics

4.29/5 (8 votes)
20 Aug 2012CPOL3 min read 19.5K  
An introduction to the basics of OAuth.

This sure looks like a Branded Car Logo . . . Isn't it.

No, this represents the new authentication mechanism on which most of the sites are working today.

OAuth - Open Authentication

I love Valet key example. Many luxury cars come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will only allow the car to be driven a short distance while blocking access to the trunk and the onboard cell phone. Regardless of the restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using another key to unlock everything else.

In this example, original Key is the original credentials, with which the third party can do anything and everything. Valet key is a temporary credentials with which third party user can do a designated task only with in a short span of time.

Lets look at different roles in OAuth.

  • Resource Owner - The one holds the account and credentials. Typically a User can be considered as a Resource Owner.
  • Client - The third party app/service who want to use resources of Resource Owner / User.
  • Server - The party with which Resource Owner holds an Account.

To understand the roles better, let me give you a better example.

I logged into "youtube.com", watched a video, to be specific "Expendables2 Trailer". Liked it and want to share it on Facebook with my friends.

Clicked the share button at bottom of video on Youtube and this is what i see.

Clicking on the FB button, I will get a window asking for Facebook credentials.

Once i gave my credentials, I will be redirected another widow where i can modify the content and publish it on my Facebook wall.

Now re-look at the roles and see who is who.

  • Resource Owner - Its me, holding the account with Facebook.
  • Client -  Youtube.com is the client from which i want to utilize the service.
  • Server - Facebook with which I am holding the account.

What happened behind the scene? and Where does OAuth came into picture?

We need to consider two facts here:

  • #1. Due to security reasons, Facebook doesn't want to share the actual user credentials with any other third party.
  • #2. Without any authentication, Youtube cannot publish a video on my Facebook wall.

In this kind of scenario, OAuth will come into picture. 

  • When I try to share the video from YouTube, it will redirect me to Facebook 
  • I will authenticate to Facebook server and Facebook being OAuth enabled, its API will supply a temporary security token with limited scope of access which is valid for a short period of time.
  • Using this security token, YouTube will publish the Video on fb wall on my behalf.

OAuth represents the combined wisdom of many proprietary industry protocols, such as Google AuthSub, Yahoo BBAuth, and Flickr API.

The current version of OAuth is 2.0 which we will discuss briefly in next post.

Hope this helped in getting a basic know-how's of OAuth. 

Is it helpful for you? Kindly let me know your comments / questions.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)