API Security

What is the OAuth?

What is the OAuth?


You've probably heard about the dangers of giving out your passwords and why you should never do it. There are various protocols designed to protect you and prevent the need for inputting your passwords or log in credentials repeatedly. When a website needs your password to offer you access, they could use a technique called OAuth to make things simpler.

The purpose of this article is to teach you how a website or app accepts users that visit them. Do these platforms have the right permissions? Are they allowed to verify your identity and access some of your data on your behalf? OAuth explains this entire process and helps to make it simpler to achieve. Keep reading to find out how online verifications have become automated and only need a single click to be completed.

Learning Objectives

What Is OAuth?

OAuth is an open-standard authorization protocol that can be added to applications to offer users secure designated access to their platform. For instance, with this protocol, you can tell Facebook to allow ESPN.com access to your social media posts and updates without necessarily releasing your login credentials. This sort of access helps to reduce risk in a big way. If ESPN.com suffers a data breach, the information you have with Facebook will be protected.

OAuth does not operate by sharing passwords with other platforms. Instead, it sends authorization tokens to them. This token is used to prove the authenticity of the identity. It's a crucial strategy to employ between customers and service providers. In simple terms, this concept is an authentication protocol that allows platforms and service providers to interact without giving out their passwords.

OAuth Examples

A common example of this protocol is related to most android devices. When you purchase an android smartphone, it requires you to log in to your email account to access most of the features on that phone.

When you have logged in your email into the phone, you will need the information to access other applications or login websites. The principles of OAuth allow users to share their email login credentials with the platform instantly. You don't need to input your password but the website will instantly be provided with authentication to offer you designated access.

There are numerous other use cases and examples that highlight the concept of this protocol. As long as you can share your credentials for information across platforms without having to input your password repeatedly.

A good example of this protocol in principle is when you are redirected to another website and sent a message that says; "hey, do you wish to log in to our website with the credentials from another website?" Let's call the website that is requesting a user's access as the receiver while the platform where you are currently logged in will be referred to as sender. When you try to log into the receiver or receiving website, it will demand to know if you are the same user who is logged in on the sender or sending website.

Facebook is one of the most common examples of platforms that use this protocol. When you're using an app on Facebook, it will demand access to your profile information and pictures. In this scenario, Facebook is the sender with your login data and pictures. The app is the receiver, and as the user, you intend to use the services of the receiving platform. By clicking on allow, you give the receiver access to your pictures while OAuth facilitates the entire process.

Some of your smart home devices, such as television, security system, toaster, and so on, require login access to be able to control all of them from your browser or mobile device. These devices operate on what is referred to as OAuth confidential authorization. They'll hold on to your login credentials securely. That way, you don't have to input your login credentials at different website terminals.

How Does OAuth Work?

The reality is that OAuth was designed to focus on authorization and not authentication. Authorization involves seeking permission to perform certain actions. However, authentication is concerned with proving that you are the person who has the required access to the information secured within the profile. OAuth doesn't ask the user to authenticate, instead, it authorizes access to other apps and resources.

A good way to review the working mechanism of this protocol is by looking at the analogy of a valet key. The valet key is designed to give a valet access to drive your car, but will not necessarily allow them to open the trunk. The OAuth token is designed to be the valet key to your smart device. As a user, you are in control of the information that will be shared across platforms. You can hand a valet key to each receiver. However, they will never have full access to the full key or confidential data that are hidden within the profile.

There 3 main parties that are involved in any OAuth transaction; the user, the sender, and the receiver. The 3 parties may be referred to as OAuth Love Triangle. We'll use a few simple steps to illustrate how an OAuth offers authentication protection for users on multiple platforms.

  • Step 1: The User Shows Intent
  • Step 2: The Receiver Gets Permission. A secret will be sent along with the permissions which will be used to prevent forgery and verify the source of the permission request.
  • Step 3: The User Is Redirected to the Service Provider or Sender
  • Step 4: The User Gives Permission
  • Step 5: The Receiver Obtains an Access Token
  • Step 6: The Receiver Accesses the Protected Resource
oauth work

SAML vs. OAuth

Many people are quick to refer to the similarities between SAML and OAuth, but most concepts couldn't be more different. SAML, also known as Security Assertion Markup Language, is an alternative authentication standard that is many organization uses to support single-sign-on features. SAML is a feature that enables organizations to monitor those who are in charge of corporate resources.

There are many differences between SAML and OAuth. SAML adopts XML to send messages while OAuth sends messages with the use of JSON technology. OAuth is designed for a simpler mobile experience, while SAML is designed to offer you better security. The last difference between SAML and OAuth is a major one. OAuth relies majorly on API. Due to this reason, many mobile apps, modern-day websites, game consoles, and the Internet of Things rely on this protocol. Generally, OAuth offers a better experience for users. To offer authentication to users, SAML drops a cookie session in the user's browser that lets the person access certain web pages. This idea is great for short-lived access but doesn't do much when you have to log into that network repeatedly.

OpenID vs OAuth

In simple terms, OpenID is used for authentication while OAuth serves the purpose of authorization.

OpenID supports federated authentication, which means that it supports third-party apps to support and authenticate users when trying to use accounts you already have. However, OAuth was designed to make sure that you don't have to input your login credentials on third-party apps.

Both protocols can be used to accomplish similar tasks but that doesn't mean they should be used interchangeably. OpenID provides an identity assertion while OAuth is more generic. When a client uses OAuth, a server issues an access token to a third party, the token is used to access a protected resource, and the source validates the token. Notice, that at no point is the identity of the owner of the token verified.


SAML 2.0OAuth2OPinID Connect
What is it?Open standard for authentication and authorizationOpen standard for authorizationOpen standard for authentication
Primary use caseSSO for enterprise appsAPI authorizationOpen SSO for consumer apps

OAuth 1.0 vs. OAuth 2.0

OAuth 2.0 is designed to be a complete improvement on the workings of OAuth 1.0. The two similar frameworks are not compatible. If you create a new app or website today, make sure that it relies on OAuth 2.0. Most modern-day websites have switched to OAuth 2.0 because OAuth 1.0 has depreciated.

The latest version of OAuth, version 2.0, is easier and faster to implement on applications and websites. OAuth 1.0 was designed to rely on cryptographic requirements. It also did not support more than three flows or even scale.

OAuth 2.0 is designed with six flows that support different applications and requirements. This authentication protocol allows signed secrets over HTTPS. OAuth tokens do not need to be encrypted when they are sent from one endpoint to another. That's because they are encrypted in transit.

OAuth 1.0 vs. OAuth 2.0

How OAuth Protects APIs

It's possible to secure API with API connect. OAuth is a special authorization protocol that makes third-party websites and apps accessible without logging the user's credentials or personal information.

OAuth User Scenario

People who use API Connect along with this protocol have several methods they use to protect their API. These are some of the available options:

  • Creating an OAuth Provider API. The provider API will contain OAuth tokens for both endpoints of an OAuth flow.
  • Protecting an API with OAuth security definition. When you add this protocol's security definition to your app or website, you add settings that allow you to control API operations through the OAuth authorization standard.
  • OAuth Metadata URL and Authentication URL. You can set OAuth metadata URL or authentication URL that will be used to obtain user-specific content from a website. It will access it from a remote server and add it to the access token or as a part of the payload that contains the security token.

OAuth Responses

During the OAuth 2.0 process, the API connect produces various responses to requests.

Troubleshooting OAuth

If you have any problems with this protocol, you can troubleshoot by yourself. Navigate to the Developer Portal and forums on Youtube, Github, and DeveloperWorks.

Subscribe for the latest news