Saturday, November 30, 2013

OAuth for dummies - Illustrating OAuth for User Joe

Disclaimer, this is not a training dot, but it's my attempt to understand OAuth in Plain English or with visual aids. Any suggestions are welcome. See this as published personal notes.

Thoughtworks gave an awesome overview:
 "OAuth is an open-source specification for building a framework for allowing a third-party app (the “client”) to access protected resources from another application (the “provider,” or “resource owner”) at the request of a “user” of the client app. Oauth allows the user to enter his user credentials (ex. username and password) only to the provider app, which then grants the client app permission to view the protected resources on behalf of the user."

There are a few "players" here.
The third-party app: say a newly launched startup app in beta, Facebook for dating F-Book
The user: you, an aspiring bachelor with a dream
The provider: Facebook, which has your profile, and friend list

When you want to log onto F-Book for the first time, you don't want to give an untested app all your favorite password. You saw the option to use Facebook login instead.

You choose that. A familiar blue popup shows up and ask for your Facebook username and password. Hooray, you do this everyday.

Click login. The popup disappears, you are directed to F-Book, which now has your profile picture, your friend list (tells you which friends already joined), and you can now start to use F-Book! Voila.

Actually there was another step after you used Facebook credentials to sign in: Facebook asks you are you sure you want to grant profile and friend list access to F-Book. You say okay or skip. If you skip, you likely will get a 404 from F-Book (oops, something went wrong). If you grant, then Facebook secretly sends a token over to F-Book and was like okay F-Book, you can now communicate with me. Remember to send over this token, when you want to retrieve information about this particular user. Remember to send over your app API token too, because I want to know you are F-Book for reals, not knockoff-FBook.

Now F-Book can use APIs like getUserProfilePic() getUserFriendList(), Facebook pukes out a JSON, everyone's happy.

Of course, this isn't quite how it works but you get the idea. I have grossly admitted important details about security and how secret and public keys work. I wrote this post because every time someone asks me about OAuth, my initial thought is always that I know nothing. But the reality is, since it has been popularly adopted all over the place, I have seen many manifestations of OAuth: Twitter, Facebook logins, Google Plus logins, GitHub (SSH secret keys), Yahoo YQL, Google Map.

1 comment:

  1. The 2019 Belmont Stakes odds behind favorite Tacitus, who is 9-5. With so little separating the top two choices on Saturday, and plenty of other intriguing value selections on the board, you need to see the predictions from horse racing handicapper Hank Goldberg before making any 2019 Belmont Stakes picks of your own.
    GGG vs Rolls
    GGG Rolls
    GGG vs Rolls Live
    Golovkin vs Rolls
    GGG vs Rolls Fight

    This story was written in collaboration with Forbes Finds. Forbes Finds covers products we think you’ll love. Featured products are independently selected and linked to for your convenience. If you buy something using a link on this page, Forbes may receive a small share of that sale.
    Belmont Stakes 2019
    Belmont Stakes
    Belmont Stakes Live
    Belmont Stakes Race
    Belmont Stakes Horses


Machine Learning for Beginners Resources

Uniqtech guide to Machine Learning. This guide explains the difference between machine learning, traditional programming, machine learning w...