There are a lot of websites that use our Twitter or Facebook credentials to create a user account. OAuth allow service providers on the web to exchange data safely. So how does it work?
OAuth allows you to share your private resources (photos, videos, contact list, bank accounts) stored on one site with another site without having to hand out your user name and password to anyone on the web.
Oauth in Action
Let us take a look a sample website that uses OAuth. Twitpic is photo sharing service that allow us to create accounts using our twitter login credentials.
Clicking the ‘Sign in with Twitter’ button will redirect you to Twitter home page. You will need to grant Twitpic access to your Twitter data so that Twicpic can create a user account for you.
Twitter will redirect you to Twitpic if you grant Twitpic access to your Twitter account.
How does OAuth Work?
Before we delve into the inner workings of OAuth we need to familiarize ourselves with some of OAuth terminology.
- Service Provider – the Service Provider controls all aspects of the OAuth implementation. The Service Provider is the term used to describe the website or web-service where the restricted resources are located. It can be a photo sharing site where users keep albums, an online bank service, a microblogging site, or any other service where ‘user’s private stuff’ is kept. OAuth does not mandate that the Service Provider will also be the identity provider which means the Service Provider can use its own usernames and passwords to authenticate users, or use other systems such as OpenID.
- User – the user is why OAuth exists and without users, there is no need for OAuth. The users have ‘stuff’ they don’t want to make public on the Service Provider, but they do want to share it with another site. In OAuth, the protocol stops without manual interaction with the user at least once to receive permission to grant access.
- Consumer – this is a fancy name for an application trying to access the User’s resources. This can be a website, a desktop program, a mobile device, a set-top box, or anything else connected to the web. The Consumer is the one getting permission to access resources and the Consumer is where the useful part of OAuth happens. OAuth defines ‘Consumer Developer’ as the entity writing code to interact with the Service Provider. ‘Consumer Key’ and ‘Consumer Secret’ will be explained later.
- Protected Resources: the ‘stuff’ OAuth protects and allow access to. This can be data (photos, documents, contacts), activities (posting blog item, transferring funds) or any URL with a need for access restrictions.
- Tokens – are used instead of User credentials to access resources. A Token is generally a random string of letters and numbers (but not limited to) that is unique, hard to guess, and paired with a Secret to protect the Token from being abused. OAuth defines two different types of Tokens: Request and Access. This are explained later in greater details.
This is the mechanics that happen behind the scene when you grant Twitpic access to your Twitter account.
1. Consumer Registration
Consumer need to register themselves to the service provider. The service provider will create a ‘Consumer Key’ and a ‘Consumer Secret’ that consumer can use to request for access to the service provider. Twitpic is the consumer, and Twitter is the service provider. Twitter will provide Twitpic a ‘Consumer Key’ and ‘Consumer Secret’ that Twitpic can use to request access to Twitter.
2. User granting access to the consumer
The consumer will create an OAuth and redirects you to your service provider site. You need to login to your service provider site and grant read (or perhaps write) access to your protected resources. Your service provider will give an ‘Access Token’ to the consumer. Consumer uses this ‘Access Token’ to access your protected resources. Twitpic redirects their user to Twitter. Twitter will give an access token to Twicpic to access the user’s Twitter data.
What should we do when a service provider does not use OAuth and ask for our Twitter or Facebook credentials ? There is no right answer for this. We need to make a good judgement call whether we can trust the service provider.
We can also look out for privacy seals. Organisations that display privacy seals on their Web sites have been certified by third-party experts to be adopting security or privacy practices that help keep you safe and informed on line. Some organisation such as VeriSign, Trust-e, BBBOnline sells trust seals to on line merchants.