OAuth is an authentication protocol that allows client application’s user to authenticate through an OAuth service provider with appropriate authorization.
For example if the user have really cool pictures in Flickr user needs to share with his/her Facebook friends. First the user wants to go to Facebook which redirects user to Flickr and provide authentication details to login into Flickr . The great thing in all this is that user never wants to share Flickr details with Facebook.This is an example of OAuth authorization.
In the step 1 the Client logins to his Facebook account by providing a userid and a password. If user wants to share his Flickr images with his Facebook account he selects the appropriate option in Facebook. Facebook redirects him to Flickr where he provides his credentials. Once the user is logged in to his Flickr account he can chose to share his Flickr images with his Facebook account. So unlike normal authentication process as in a typical web application there is two step authentication involved here. So we can formally define OAuth as: OAuth is a protocol that allows end users to give access to third party applications to access their resources stored on a server.
Advantages of using OAuth
Giving the third party application access to the users resources on a website has an advantage for the end user since he can easily share his already existing resources with another application instead of duplicating the resources in a new website.
Today most of the internet users have multiple accounts with different sites like Google,Microsoft, Facebook etc. .Imagine the situation when the poor user is asked to register again on another website. I am sure you might have had this feeling since registering with a new site consumes time.
Using OAuth the application can allow the user to login using his existing credentials(on another website).So user does not have to create and remember another credentials on a new web site . It has an advantage for you as a developer since you can delegate the authorization to another trusted website. These trusted websites that authorize users on other applications behalf are called Identity providers.
Using Open Authentication the user can give limited access to the third party applications to their resources stored on some other website. And the user never need to share his credentials with these third party
applications.Instead of userid and password the applications use the access token to fetch the users data.
How OAuth works
In a normal scenario user has some resources stored on the server that he can access using his userid and password. User provides the credentials namely userid and password and is granted access to his resources. This is mandatory so that the user’s resources ,which could be images or any other documents are safe.
Here the main entities involved in this transaction are
User accessing his resources stored on the server
Resources of the user stored on the server that he is trying to access.
In the above flowchart user is allowed access to his resources using authorization which is a step that depends upon authentication.But the main point here is that all of the above process is mostly performed by a single application.
As the userid and password validation occurs in the same application the user is accessing, so the password of the user is stored in the database of the application most likely in an encrypted format. Since the password is encrypted user can be sure that his credentials are known only to him(ignoring the case that his account is hacked J) so it is very less likely that his credentials are misused.
The above scenario represents typical user authentication process performed by an application. In the case of applications using OAuth authentication the process works a bit differently. Instead of the user directly signing in to an application the user is rather redirected to another web site where he needs to enter his credentials.
Following steps are common no matter which provider we are using.
Register the application with the provider and receive a key and a secret
Once the user shows his intention to authenticate using the provider then the application sends a request to the provider for a request token(which is just another set of credentials)
In the final step the registered application asks the provider for the access token. Once application receives the access token it has access to the users data.
Following diagram illustrates what has discussed above.
In the last step the authentication provider sends back an access token to the application.It is the access token using which our application can access users data.