What is Open Authentication (OAuth)

Posted by David Estes on Apr 04, 2012

Many people are confused as to what the purpose of Open Authentication (OAuth) is, as well as why it seems so complicated. As a result of doing research on this very topic I thought I would provide a basic summary of Open Authentication.

The purpose of OAuth is to allow a web-site to either access or provide data to and from another web-site securely. A good example of this use case would be twitter. Let’s say I wanted to make a web app that posted updates to a users twitter account. In the past, in order to do this, the app would have to collect the users twitter account information and securely store it for making future posts. With OAuth, this process goes out the window. You are no longer needing to store the users account name, and password. This makes securing data a lot less stressful.

Instead of permanently storing the users account information, my web app actually asks twitter for permission to use your account. To the user, they would be directed to twitter.com and prompted for a login. After they have logged in, you might be asked if you want to grant permission to “PostMyTweets.com”. Once you give the web app permission you are sent back to the site. In the background a lot more is happening but in the end, we store something called an Access Token. This Token is unique to your twitter user account and unique to PostMyTweets.com. This token grants permission for PostMyTweets.com to access your twitter account and only PostMyTweets.com. Instead of storing your account name and password, which could theoretically be stolen and used by anyone who wanted to, we store an access token. Even if this access token were to be stolen, they couldn’t really use it because they are not PostMyTweets.com

OAuth is a growing standard being adopted by a lot of web service providers. By adopting a standard, like OAuth, you bring interconnectivity with other web-sites to the user. In a world previous to these types of innovations, a user might typically want one application that did everything they needed so that their data was accessible in everything they did. But now, a company can develop a product that serves one smaller purpose, but masterfully performs that service without being limited to it’s own set of data.

In future posts, I will try to expand into the more technical aspects of OAuth and explain why things are setup the way they are.