OAuth 2.0 Open Protocol Standard for AuthorizationSaadhvi SummitNirmal KumarDate : 2 April 2012 - 4:00 PM IST
OAuth - Overview OAuth is an open standard for authorization. It allows users to share their private resources (e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically supplying username and password tokens instead.
Secure Way to Access UserResources ? Is there a secure way to access your Flickr Photos and Albums by someexternal application say example Wordpress where you already have anaccount with wordpress ?. Access user resources (photos, albums etc)
Secure Way to Access UserResources ? Is there secure way to access your Gmail Addressbook or Contact Listby some external application say Facebook where are you already own anaccount in facebook? Access user contacts from Gmail Account
Should i expose my Credentials? Access user contacts from Gmail Account should i need to expose Gmail Account Credentials to facebook? should i need to expose Flickr Account Credentials to facebook? Access user resources (photos, albums etc)
User Credentials Compromise 1. Applications cannot be Trusted 2. User password might be misused to access other information in that account 3. User might use the same password for a variety application and this will create a security threat 4. Changing password will not be reflected in the trusted applications
What OAuth Standard Provides A way for an Application to interact with a service on users behalf withoutrequiring user account credentials.
The Car Valet Parking Regular Key : Car Owner - Full Access - Provides necessary access to a valet through Valet Key - Can able to Revoke the Access in time of threats Valet Key : Valet - Limited Access - Cannot change anything without authorization of the resource owner.
How this works ? Authorizes Owns API Client Application++ API Provider Services User Resources Accesses
How this works ? Import Contacts from your Google Account
Sample Twitter - Authorize Revoke Access to Applications at any time.
How this works ?Client Application sends Authorization Request to the API Service Providerwith the ClientId Key and Secret User will be redirected with a Prompt " Authorize Application X to access yourAccount ". User can either Authorize and Reject User will be redirected to the Client Application if they authorized with aAuthentication Code in the Url. API Client Web Application can use this Authentication Code and Send aRequest to the API Server to provide a Token. Client Application uses that Token to access the Authorized data from theusers account.
OAuth Benefits 1. Can be integrated in Web, Mobile and Other Home Devices2. No more Password or User Credentials sharing with other Applications -> So no hassles for the user in terms of security3. Developers just need to implement a redirect and a POST request -> Flexible for developers4. Users can revokeaccess tokens for specific clients at any time5. Nefarious clients can have their credentials revoked and all associated access tokens destroyed immediately