3.1 About OAuth
The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.
An example use case is allowing printing service printer.example.com (the Consumer), to access private photos stored on photos.example.net (the Service Provider) without requiring Users to provide their photos.example.net credentials to printer.example.com.
OAuth does not require a specific user interface or interaction pattern, nor does it specify how Service Providers authenticate Users, making the protocol ideally suited for cases where authentication credentials are unavailable to the Consumer, such as with OpenID.
OAuth aims to unify the experience and implementation of delegated web service authentication into a single, community-driven protocol. OAuth builds on existing protocols and best practices that have been independently implemented by various websites. An open standard, supported by large and small providers alike, promotes a consistent and trusted experience for both application developers and the users of those applications.
3.2 Basic terms used
Service Provider:
A web application that allows access via OAuth.
User:
An individual who has an account with the Service Provider.
Consumer:
A website or application that uses OAuth to access the Service Provider on behalf of the User.
Protected Resource(s):
Data controlled by the Service Provider, which the Consumer can access through authentication.
Consumer Developer:
An individual or organization that implements a Consumer.
Consumer Key:
A value used by the Consumer to identify itself to the Service Provider.
Consumer Secret:
A secret used by the Consumer to establish ownership of the Consumer Key.
Request Token:
A value used by the Consumer to obtain authorization from the User, and exchanged for an Access Token.
Access Token:
A value used by the Consumer to gain access to the Protected Resources on behalf of the User, instead of using the User's Service Provider credentials.
Token Secret:
A secret used by the Consumer to establish ownership of a given Token.
OAuth Protocol Parameters:
Parameters with names beginning with oauth_.
3.3 How it works
3.3.1 Service Providers
The Service Provider's responsibility is to enable Consumer Developers to establish a Consumer Key and Consumer Secret. The process and requirements for provisioning these are entirely up to the Service Providers.
The Service Provider's documentation includes:
- The URLs the Consumer will use when making OAuth requests, and the HTTP methods (i.e. GET, POST, etc.) used in the Request Token URL and Access Token URL.
- Signature methods supported by the Service Provider.
- Any additional request parameters that the Service Provider requires in order to obtain a Token. Service Provider specific parameters MUST NOT begin with oauth .
3.3.2 Documentation and Registration
The Service Provider documentation explains how to register for a Consumer Key and Consumer Secret, and declares the following URLs:
Request Token URL:
https://photos.example.net/request_token, using HTTP POST
User Authorization URL:
http://photos.example.net/authorize, using HTTP GET
Access Token URL:
https://photos.example.net/access_token, using HTTP POST
Photo (Protected Resource) URL:
http://photos.example.net/photo with required parameter file and optional parameter size
The Service Provider declares support for the HMAC-SHA1 signature method for all requests, and PLAINTEXT only for secure (HTTPS) requests. The Consumer printer.example.com already established a Consumer Key and Consumer Secret with photos.example.net and advertizes its printing services for photos stored on photos.example.net.
The Consumer registration is:
Consumer Key : dpf43f3p2l4k3l03
Consumer Secret : kd94hf93k423kf44
Fig 3: Communication between consumer and service provider using oauth
3.4 Why is OAuth Important?
There is an increasing need for Web applications to communicate with each other. In the Twitter space, there are literally hundreds of 3rd party application that access the contents of social networking sites on your behalf to provide functionality. Examples include posting photos, scheduling tweets, and full-featured clients. Many of these applications fill holes in offerings and deliver value, contributing to their popularity. Without OAuth, each of these applications would need to collect your username and password to interact on your behalf and therin lies the problem.
Sharing secrets (credentials) with a 3rd party application requires putting trust in that application to act responsibly. This is a risky proposition because eventually some unscrupulous application will misuse your secrets for their own gain or engage in malicious behavior. Therefore, you need to minimize who you share your secrets with. Adding to the unfortunate circumstances of finding yourself in a position where an application has misused secrets, the first line of defense is to change passwords.
Sharing secrets (credentials) with a 3rd party application requires putting trust in that application to act responsibly. This is a risky proposition because eventually some unscrupulous application will misuse your secrets for their own gain or engage in malicious behavior. Therefore, you need to minimize who you share your secrets with. Adding to the unfortunate circumstances of finding yourself in a position where an application has misused secrets, the first line of defense is to change passwords.
The problem with changing passwords is that the same password has been given to multiple other applications. Therefore, after changing your password, you also need to change passwords for every other application. Giving out secrets to every application is fraught with risk and complication.
OAuth is a way to enable the scenario of working with 3rd party applications, without giving out your secrets. Essentially, a 3rd party application that wants to access your account, using OAuth, will perform a redirection to an authorization page on Twitter, Facebook or Linkedin you will then tell them to give them permission, and the application will be able to perform actions on your behalf. This whole sequence of events occurs without needing to share a password with the 3rd party site. Instead, these have shared a token to your account that the 3rd party application uses. If later, you find that you can't trust the 3rd party application, go to each of the sites and cancel their access and will no longer allow that specific application to access your account.
OAuth is a way to enable the scenario of working with 3rd party applications, without giving out your secrets. Essentially, a 3rd party application that wants to access your account, using OAuth, will perform a redirection to an authorization page on Twitter, Facebook or Linkedin you will then tell them to give them permission, and the application will be able to perform actions on your behalf. This whole sequence of events occurs without needing to share a password with the 3rd party site. Instead, these have shared a token to your account that the 3rd party application uses. If later, you find that you can't trust the 3rd party application, go to each of the sites and cancel their access and will no longer allow that specific application to access your account.
Because access is controlled through Twitter, Facebook, Linkedin and many other such sites you don't have to do anything special for other applications because they still have access to your account. No one has your password and you don't have to encounter the pain of visiting every site.
OAuth is really the way forward in building applications that work with Social Networking Sites. By implementing OAuth, you can instill a degree of trust in your application because visitors know that you're taking a responsible approach, rather than asking them to unnecesarily share secrets.
OAuth is really the way forward in building applications that work with Social Networking Sites. By implementing OAuth, you can instill a degree of trust in your application because visitors know that you're taking a responsible approach, rather than asking them to unnecesarily share secrets.
No comments:
Post a Comment