Introduction to OAuth (in simple words)
Social networks are entering our lives deeper and deeper. Often, for many, this is both a means of earning and a basic work tool. There are also cases when one site requires your personal information from another, for example, automatic posting on Twitter from Bitly. In order for such a process to take place, you must disclose your username and password from one resource to another. This is not the right way. True - they must use OAuth.
OAuth is an open authorization protocol that allows a third party to provide limited access to the user's protected resources without the need to transfer her login and password to a third party.
This brief tutorial illustrates as simple as possible how OAuth works.
')
Members
OAuth transactions involve 3 main contributors: a user, a consumer, and a service provider. This triumvirate can be affectionately called the OAuth love triangle.
In our example, Joe is a user, Bitly is a consumer, and Twitter is a provider that controls Joe's protected resources (his tape). Joe wants Bitly to publish shortened links to his tape. Here's how it works:
Step 1 - the user is willing
Joe (user) : “Hi, Bitly, I want you to post your links directly to my feed.”
Bitly (Consumer): “No problem! I'll go ask for permission. ”
Step 2 - Consumer gets permission
Bitly: “I have a user here who wants me to publish to his stream. Can I request a token? "
Twitter (supplier): “Good. Here you have a token and a secret word, do not tell it to anyone. ”
The secret is used to prevent fake requests. The consumer uses it to sign each of his requests so that the supplier can verify that the requests are actually coming from the consumer application.
Step 3 - The user is redirected to the service provider
Bitly: “OK, Joe. I'll send you on Twitter, you need to confirm there. Take the token with you. ”
Joe: "I agree!"
<Bitly redirects Joe Twitter for authorization>
Step 4 - the user gives permission
Joe: “Twitter, I would like you to authorize this token, Bitly gave it to me.”
Twitter: “Okay, just to be sure, you want to allow Bitly to do this, this and that? "
Joe: "Yes!"
Twitter: “OK, you can tell Bitly that you can use the query token”
Twitter marks this token as confirmed, so that when the user requests access, he will receive it (as long as it is signed with their shared secret word).
Step 5 - Customer Receives Access Marker
Bitly: “Twitter, can I change the request token for an access token?”
Twitter: “Of course. Here's your access token and secret word. ”
Step 6 - Consumer Access to the Protected Resource
Bitly: “Twitter, I would like to post a link to Joe's feed. Here is my access token. ”
Twitter: “The marker is valid. Done! ”
Conclusion
In our scenario, Joe did not have to share his Twitter account details with Bitly. He simply delegated access using OAuth in secure mode. At any time, Joe can log into his Twitter account and review all of the access he has allowed and, if necessary, withdraw any of them. OAuth allows you to split access into different levels. You can give Bitly the right to publish, but give read-only permission for LinkedIn.
OAuth is not perfect ... for now
OAuth is a powerful solution for web-based applications and is a huge step forward compared to regular HTTP authentication. However, there are certain limitations, particularly in OAuth 1.0.
OAuth 2.0 is a newer and safer version of the protocol, in which various “streams” of information for web, mobile and desktop applications appeared. It also contains the concept of expiration of the token (similar to cookies), works on top of SSL and reduces the complexity of development by taking on complex authentication procedures.
Additional sources
I hope this was a good example that gave the concept of OAuth "in general terms". Therefore, the next time you see a “Sign in using Twitter” or similar button, you will have an idea of ​​what happens when you click it.
If you want to dive deeper into the mechanics of work, here are some useful links:
• hueniverse.com/oauth
• marktrapp.com/blog/2009/09/17/oauth-dummies
• dev.twitter.com/docs/auth/oauth/faq
• stackoverflow.com/questions/4113934/how-is-oauth-2-different-from-oauth-1
• googlecodesamples.com/oauth_playground
• www.justin.tv/hackertv/b/259433315
OAuth is an open authorization protocol that allows a third party to provide limited access to the user's protected resources without the need to transfer her login and password to a third party.
This brief tutorial illustrates as simple as possible how OAuth works.
')
Members
OAuth transactions involve 3 main contributors: a user, a consumer, and a service provider. This triumvirate can be affectionately called the OAuth love triangle.
In our example, Joe is a user, Bitly is a consumer, and Twitter is a provider that controls Joe's protected resources (his tape). Joe wants Bitly to publish shortened links to his tape. Here's how it works:
Step 1 - the user is willing
Joe (user) : “Hi, Bitly, I want you to post your links directly to my feed.”
Bitly (Consumer): “No problem! I'll go ask for permission. ”
Step 2 - Consumer gets permission
Bitly: “I have a user here who wants me to publish to his stream. Can I request a token? "
Twitter (supplier): “Good. Here you have a token and a secret word, do not tell it to anyone. ”
The secret is used to prevent fake requests. The consumer uses it to sign each of his requests so that the supplier can verify that the requests are actually coming from the consumer application.
Step 3 - The user is redirected to the service provider
Bitly: “OK, Joe. I'll send you on Twitter, you need to confirm there. Take the token with you. ”
Joe: "I agree!"
<Bitly redirects Joe Twitter for authorization>
Step 4 - the user gives permission
Joe: “Twitter, I would like you to authorize this token, Bitly gave it to me.”
Twitter: “Okay, just to be sure, you want to allow Bitly to do this, this and that? "
Joe: "Yes!"
Twitter: “OK, you can tell Bitly that you can use the query token”
Twitter marks this token as confirmed, so that when the user requests access, he will receive it (as long as it is signed with their shared secret word).
Step 5 - Customer Receives Access Marker
Bitly: “Twitter, can I change the request token for an access token?”
Twitter: “Of course. Here's your access token and secret word. ”
Step 6 - Consumer Access to the Protected Resource
Bitly: “Twitter, I would like to post a link to Joe's feed. Here is my access token. ”
Twitter: “The marker is valid. Done! ”
Conclusion
In our scenario, Joe did not have to share his Twitter account details with Bitly. He simply delegated access using OAuth in secure mode. At any time, Joe can log into his Twitter account and review all of the access he has allowed and, if necessary, withdraw any of them. OAuth allows you to split access into different levels. You can give Bitly the right to publish, but give read-only permission for LinkedIn.
OAuth is not perfect ... for now
OAuth is a powerful solution for web-based applications and is a huge step forward compared to regular HTTP authentication. However, there are certain limitations, particularly in OAuth 1.0.
OAuth 2.0 is a newer and safer version of the protocol, in which various “streams” of information for web, mobile and desktop applications appeared. It also contains the concept of expiration of the token (similar to cookies), works on top of SSL and reduces the complexity of development by taking on complex authentication procedures.
Additional sources
I hope this was a good example that gave the concept of OAuth "in general terms". Therefore, the next time you see a “Sign in using Twitter” or similar button, you will have an idea of ​​what happens when you click it.
If you want to dive deeper into the mechanics of work, here are some useful links:
• hueniverse.com/oauth
• marktrapp.com/blog/2009/09/17/oauth-dummies
• dev.twitter.com/docs/auth/oauth/faq
• stackoverflow.com/questions/4113934/how-is-oauth-2-different-from-oauth-1
• googlecodesamples.com/oauth_playground
• www.justin.tv/hackertv/b/259433315
Source: https://habr.com/ru/post/283424/
All Articles