Wikipedia_"OAuth is an open standard for authorization. Itallows users to share their private resources (e.g.photos, videos, contact lists) stored on one sitewith another site without having to hand out theircredentials, typically supplying username andpassword tokens instead. Each token grants accessto a specific site (e.g., a video editing site) forspecific resources (e.g., just videos from aspecific album) and for a defined duration (e.g.,the next 2 hours). This allows a user to grant athird party site access to their information storedwith another service provider, without sharingtheir access permissions or the full extent oftheir data."_Source: Wikipedia
Authorization_"The process of authorization is distinct fromthat of authentication. Whereas authentication isthe process of verifying that "you are who you sayyou are", authorization is the process of verifyingthat "you are permitted to do what you are tryingto do". Authorization thus presupposesauthentication."_Source: Wikipedia
OriginOAuth started in November 2006when Twitter looked into attachingOpenID (decentralizedauthentication) to their publicAPI. Discussions concluded _"thatthere were no open standards forAPI access delegation."_
UsersFrom a user standpoint OAuth provides a way of usingapplications without giving away the personal username andpassword to service providers. Facebook Apps are probably themost recognized example of OAuth applications. The user: Starts the client application If not already done, authorizes the requestOAuth also allows for scoping by listing the privileges thatan application will get if the user authorizes the request. E.g. read your email, post as you...It is up to the user to authorize the entire scope (allprivileges), or to not authorize the request.
DevelopersFrom an app developer perspective, the flow is something like this: Create an account at the Service Provider Register your client application at the Service ProviderThe Service Provider provides a client id and client secret: CLIENT ID: a8427e34273a4aeea67792e34d020771 CLIENT SECRET: 9b3b93a9c08f400cb066c8848d0b4badWhen you want data from the Service Provider, you make a request tothe service using your client id: curl https://api.instagram.com/v1/media/popular? client_id=a8427e34273a4aeea67792e34d020771The command above uses the media/popular endpoint and the providedclient_id to get JSON data about popular media.
ScopingWhich data that is accessible only byauthenticating with a client id is determined bythe Service Provider.Instagram: _"For the most part, Instagram’s APIonly requires the use of a client_id. A client_idsimply associates your server, script, or programwith a specific application. However, some requestsrequire authentication - specifically requests madeon behalf of a user."_Making API calls on behalf of an Instagram userrequires an access token.
Access tokensThe only way for a client application to obtain an accesstoken is to have the user authorize the application with theprovided scope (granting privileges).The process starts with a client application request to the anauthorization server, providing client id, secret and aredirect url. The server appends the code and redirects to anauthorization dialog. If the user is not logged in, he or she will be asked to authenticate If the user has not authorized the application he or she will be asked to do soThe user is then redirected to the redirection url provided inthe first request.Here two things can happen...
Server side or ImplicitEither the redirection url leads to a server controlled by the clientapplication developer that takes the provided code parameter andexchanges it for an access token by posting the code to an accesstoken url. This is referred to as the server side flow. orThe access token is appended as a fragment in the redirection URL.This method allows applications without any server component toreceive an access_token with ease. It is used by my demo applicationand is being referred to as the implicit flow.A user can at any time explicitly revoke an authorization and renderthe obtained access token useless. Some Service Providers, such asFacebook, also invalidate access tokens after a certain time.
OAuth 2.0_"OAuth 2.0 is the next evolution of the OAuth protocol and is notbackward compatible with OAuth 1.0. OAuth 2.0 focuses on clientdeveloper simplicity while providing specific authorization flows forweb applications, desktop applications, mobile phones, and livingroom devices. The specification is being developed within the IETFOAuth WG and was expected to be finalized by the end of 2010according to Eran Hammer. However, due to discording views aboutthe evolution of OAuth, Hammer left the working group"__"Facebooks new Graph API only supports OAuth 2.0 and is the largestimplementation of the emerging standard. As of 2011, bothGoogle and Microsoft had added OAuth 2.0 experimental supportto their APIs."_Source: Wikipedia
Critique_"When compared with OAuth 1.0, the 2.0 specification is morecomplex, less interoperable, less useful, more incomplete, and mostimportantly, less secure."_Eran Hammer one of the leaders of the effort describes how he, andOAuth, failed. [OAuth 2.0 and the Road to Hell]_"At the core of the problem is the strong and unbridgeable conflictbetween the web and the enterprise worlds. The OAuth working group atthe IETF started with strong web presence. But as the work dragged on(and on) past its first year, those web folks left along with everymember of the original 1.0 community. The group that was left waslargely all enterprise… and me."_Source: [OAuth 2.0 and the Road to Hell](http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/), July, 2012
Service Providers ...Dropbox InstagramFacebook MicrosoftFlickr LinkedInFoursquare NetflixGithub TumblrGoogle Twitter