Sep 13, 2009

Web authorization and OAuth

OAuth is an open protocol that defines secure api authorization methods. More and more sites in internet adopt its idea and start to use it.

So what is so cool about it?
OAuth offers a way to work with protected data while securing sensitive user account information. Imagine you want to access your twitter, yahoo or google account from some third party site or application with someadditional functionality. What will happen if the consumer site or application is not so trustworthy and steal your account? OAuth is the key to protect your account in this case.
There is a very popular parallel in the web. OAuth is like the valet key that offers a limited use of your car. Not all cars came with valet keys but anyway it is a good comparison.

With OAuth the user grants access to his protected resources without sharing his username and password with third parties. Imagine a website that offers you great functionality to add and remove many Twitter followers. One way to use it is to share your credentials with it. The other is to use special token to give only few privileges but to protect your sensitive information.

Some terminology:
Service Provider – web service that offers some functionality to third parties.
Consumers – website or application that accesses protected resources of a Service Provider.

How to use it? Do I need to reinvent the wheel?
Nop. The wheel is invented. There are some ready libraries out there. http://oauth.net/code
Here is one useful tool http://googlecodesamples.com/oauth_playground/.

For more information on OAuth visit http://oauth.net/ .

Popular Posts