OAuth is an open standard for authorization and helps control access to resources that have been stored in a server, by third party users. OAuth is inspired by OpenID. On generalizing the concept of OpenID, we can see that while the OpenID is a special case of OAuth wherein the resources that are shared are only the username and password. Whereas in the case of OAuth, resources could be anything like files / photos.
Let us look at an example scenario. Suppose that Jane (resource owner) has uploaded some of her photos (protected resources) on a website – pictures.com (server). She then wants to print them using another website – print.photos.net (client). However, she does not want to reveal her password to the server, to the client. Under such a circumstance, how does the client access her photos from the server so that it can print them for Jane ?
Naive method : A naive approach would be for Jane to reveal the password to her server, to the client so that the client can also login and access the photos. But that would mean that the client would be able to send request to change Jane’s password on the server. As the server wouldn’t know who sent the password request change, it would comply with the request.
Now this is a problem ! We need a different approach under such a situation. This is where the OAuth comes into play !
Some of the common terminologies used are :
- Server : An HTTP server capable of receiving HTTP requests from a client. In the above example, the pictures.com is the server.
- Resource owner : The resource owner is the user who has stored some of his resources in a server and can access them using his credentials with which the server authenticates him. Jane is the resource owner, in the explained example.
- Protected resource : Something that has been stored in the server by its owner, and to which only limited access is allowed. The protected resource is Jane’s photos.
- Client : An HTTP client capable of making HTTP requests to the server. The client in the above example is print.photos.net.
This is how an OAuth supporting website works in the example of Jane :
(Please note that print.photos.net and client, and pictures.net and server, have been user interchangeably.)
- Jane (resource owner) has stored her resources in pictures.com (server).
- The print.photos.net (client) has signed up for credentials to some of the commonly used servers (among which one is pictures.com) in order to provide better service to users.
- Jane wants to print the photos from print.photos.net, the client.
- The client needs to establish a set of temporary credentials with the server for which it sends a request for a temporary credential.
- The server validates the client request and sends it temporary credentials.
- The client redirects Jane to resource owner end of the server.
- The server requests Jane to sign in using her credentials that authenticate her with the server and asks her approval to grant permission to the client to access her resources.
- Jane approves giving access to client to access her resources.
- The client is informed when Jane finishes granting authorization to the client.
- The client requests for another pair of credentials to the server, making use of its temporary credentials.
- The server again validates the request and sends back a pair of credentials to the client.
- The client can now access Janes photos from the server, with this set of credentials recently given to it by the server.
The greatest advantage of OAuth is that it allows third party access to the resources of the user, without the user having to reveal the password. Only just enough permission is granted to the client, to access the user’s resources.
Having said that, the OAuth is not completely secure. A disadvantage of OAuth is that confidentiality is compromised. The tokens that are shared between the client and server are sometimes in plain text.