The internet is faster and more convenient than ever. Data can flow freely between websites and applications, saving a huge amount of time and effort for the end-user, all without compromising security. One of the biggest driving forces behind this is OAuth.
What is OAuth?
Pronounced ‘oh-auth’, OAuth is an open standard for authorisation and access delegation over the internet. It’s a set of technical specifications that can be implemented by anyone, rather than a web service or API in its own right
OAuth 1.0 was originally released in 2007 as method of authorising transactions via the Twitter API. In 2012, the main framework for OAuth 2.0 was published, with specific processes for web and desktop applications, as well as mobile and household devices. Since then, OAuth 2.0 has become the standard authorisation protocol across the web. However, OAuth 2.0 is a completely separate protocol to OAuth 1.0, with no backwards compatibility.
The purpose of OAuth is to provide a way for one website to access a user’s data held by another one, without requiring the user’s login credentials. For example, whenever you give a third party website or application access to your Facebook profile, maybe just to import your friends list when you create a new social media account, you’re using OAuth to approve that third party as authorised to receive your data.
Of course, you don’t want to give one website the login details for another one, but OAuth allows delegated access – basically a way for one server to tell another one that it’s allowed to access specific data on behalf of the end-user.
How does OAuth work?
OAuth uses token-based authentication to allow secure, delegated access. Essentially, it delegates access by using tokens instead of user credentials. The whole process is known as an ‘authorisation flow’. The full details of any given authorisation flow can vary greatly depending on the resources being accessed, but as a rough outline, it works like this:
- First, the resource provider asks the user if they want to grant access to the third party website (client application).
- If the user says yes, the client application is given an authorisation code that allows it to connect to the authorisation provider (usually but not always the same thing as the resource provider) to ask for an access token.
- If the authorisation provider authenticates the identity of the client website (based on its registered details) it issues an access token.
- The client application then presents the valid token back to the resource provider to gain access to the required user data.
Implementing OAuth yourself
Before an application can use OAuth, it needs to register with the resource provider (the website holding the user resources that the third party wants to access). Social media platforms like Facebook and Twitter have specialised resources for developers that make this fairly straightforward.
Thinking about implementing OAuth in your own web app or social media plugin? Our CloudNX cloud hosting platform offers the ideal cloud hosting environment for developers. Get root access and maximum customisation with high-performance virtual machines, or just launch a managed LAMP stack and let us take care of the server admin. Either way, you can always rely on our UK data centres and 24/7 technical support.