OAuth 2.0… basics you need to know…

OAuth 2.0

Before jumping straight in to oAuth.. let me ask you some questions..(may be rewind yourselfs 2-3 years back..because in the last 2-3 years.. each and every popular site you are interacting with would already have implemented oAuth)

How many have you given passwords of either facebook/gmail/yahoo to other sites like slideshare/zomato etc..
if your answer is yes.. then its a bad thing.. its wrong to share passwords.. you are giving access to slideshare or any other third party application access to your full gmail account.

Necessity and Birth of oAuth

with new applications(mobile/web) growing day by day.. and its mandatory that at some point of time .. we have to register to theapplication.. and to make user’s life easy(by not having remembering new passowrd :D) app providers have provided a way to login via google/facebook/twitter to their applications.this has led to user sharing their username/password of gmail/twitter/facebook to the third party provider..

This is a huge security breach.. consider you have provided your gmail id and password.. third party has access to your entire gmail.. i.e it can post/delete mail with your consent..

So there is a need to register with facebook/gmail/twitter with out having to share username/password..

i believe that need has became developing oAuth

OAuth Definition

Here’s the definition of OAuth 2.0 from the OAuth 2.0 IETF specification itself:
“The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.”

Terms to Know

1. Resource Server – The Server that holds the resource
2. Resource Owner – The user who owns the specific resources
3. Authorization Server – A server that authenticates the resource owner and issues access tokens to the client
4. client – the application that requests access on resource on behalf of resource owner