What is oauth?
Valet Key For the Web.
Authorization framework to grant restricted access to any
third party app.
No need for user password.
Requires User Consent in most of the cases.
Allows different applications or servers to share user data.
Today the systems or applications need to work in harmony
with each other by means of sharing application specific
data and information.
Who All Use Oauth??
Yahoo! And many more internet giants.
Scenarios of oauth
Facebook became popular because of third party apps
and games. All of these require you to provide some
kind of access to your profile.
Similar third party apps are available for twitter etc.
Eg: you can publish your linked in status
simultaneously on twitter as well.
Many sites provide facility to login with your
Facebook, Google or Twitter a/c.
Resource Server or the Resource Provider is a web
site or web services API where User keeps his/her
Authorization Server is the server issuing access
tokens to the client after successfully authenticating the
resource owner and obtaining authorization.
User or the Resource Owner is a member of the
Resource Provider, wanting to share certain resources
with a third-party app.
Client or Consumer Application is typically a web-
based or mobile application that wants to access User's
Client Credentials are the consumer key and
consumer secret used to authenticate the Client.
Tokens are the access token generated by server after
request from client using which a client app access
certain portion of user data.
High level flow of Oauth 2.0
The third party app developer/client registers himself on
oauth service provider( like FB etc).
He Can add His apps there then. He gets app key/secret for
each app he registers.
Whenever Uses any app, it asks for user’s permission to
grant acccess for some of his personal data.
If User approves then a token is issued to the client app for
a limited time.
The client uses the token to access the resource.
Bases on apps and use cases there are multiple flows
in oauth2. Some of the widely used are:
Authorization Code Grant is used if app is server side
and needs user consent to access his data.
Implicit Grant flow is for client side apps ( HTML5 or
Client Credentials Grant is used when app client and
secret is needed and no user consent required
Oauth2 Request Params
Secret ( used in auth code flow and client cred flow)
Scope ( optional)
Response type/grant type
Oauth 2.0 Advantages
Integration of third party apps to any sites. Win win
situation for the oauth provider and app developers.
By using OAuth 2.0, access can be granted for limited
scope or duration.
No Need for users to give password on third party site.
OAuth 2.0 Drawbacks
Writing an authorization server is somewhat complex.
Interoperability issues. Like Facebook oauth can be
used only for Facebook APIs.
Sometimes unknowingly user can provide access for
too much of his personal profile data which can be
Sometimes due to bad implementation there can be
security issues in oauth2.