OAuth Overview

OAuth can be defined as follows:

  1. OAuth is an open protocol that aims to standardize the way desktop and web applications access a user’s private data. OAuth provides a mechanism for users to grant access to private data without sharing their private credentials (username/password). Many sites have started enabling APIs to use OAuth because of its security and standard set of libraries.
  2. The OAuth 2.0 authorization framework enables a third-party  application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction  between the resource owner and the HTTP service, or by allowing the   third-party application to obtain access on its own behalf.
  3. OAuth is a simple way to publish and interact with protected data. It’s also a safer and more secure way for people to give you access. We’ve kept it simple to save you time.
  4. If you’re storing protected data on your users’ behalf, they shouldn’t be spreading their passwords around the web to get access to it. Use OAuth to give your users access to their data while protecting their account credentials.
  5. OAuth 2.0 is an open authentication protocol which enables applications to access each other’s data. For instance, a game application can access a users data in the Facebook application, or a location based application can access the user data of the Foursquare application etc.
  6. OAuth 2.0 enables a user to login to a single application (e.g. Google, Facebook Foursquare, Twitter etc.), and share their data in that application with other applications.

Here is a diagram illustrating the principle:

Example of how OAuth 2.0 is used to share data via applications.

The user accesses the game web application. The game web application asks the user to login to the game via Facebook. The user logs into Facebook, and is sent back to the game. The game can now access the users data in Facebook, and call functions in Facebook on behalf of the user (e.g. posting status updates).

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.

For Consumer developers:

If you’re building

  • web applications
  • desktop applications
  • mobile applications
  • Javascript or browser-based apps
  • webpage widgets

For Service Provider developers:

If you’re supporting…

  • web applications
  • mobile applications
  • server-side APIs
  • mashups


OAuth is not an OpenID extension and at the specification level, shares only few things with OpenID – some common authors and the fact both are open specification in the realm of authentication and access control. ‘Why OAuth is not an OpenID extension?’ is probably the most frequently asked question in the group. The answer is simple, OAuth attempts to provide a standard way for developers to offer their services via an api without forcing their users to expose their passwords (and other credentials). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are. They should work great together.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s