Explained: OAuth: What You Need To Know

explained: OAuth: What You Need to Know

What is OAuth?

OAuth is the authentication and authorization protocol originally developed for web applications, Twitter was born by the year 2006.

It allows third-party software to do something on your behalf for a limited time and without giving the complete software, ongoing access to confidential information. The analogy is the most common keys Parking.

Let us go a little deeper and learn more about OAuth.

Q: So, valet keys. You mean those normally handed over the keys to the valet parking hotel?

A: Yes. These buttons open, start your car, but only for a short trip, and without opening the chest. OAuth works as a key service for your data. It provides temporary and limited access to something that is yours without giving control.

Q: Now I understand what you mean, but ... This is a real problem?

A: It has become one when online services and social networks in all its forms, Twitter and Flickr for banking, has become not only everywhere, but related - are much more useful when you can make to work together.

Q: You are referring to cases such as publishing a Flickr gallery on Facebook.

A: Yes, exactly. Being able to do this without having to manually enter everything is great. But doing without something like OAuth can mean giving to the sites of full access to all your files (such as files, contact lists or access to services).

Q: So that's why he spoke of authentication and authorization?

A: Right. Authentication means having a way to prove that you really are. Please note that, in general, it makes no difference if "a" is a human or a program. Authorization is a separate, equally necessary services. If a person or software has already proven to Facebook who they are, this does not mean they have permission to update our status as if they were us.

Question: Can OpenID was used for this?

A: OpenID is only concerned with authentication. OAuth, by contrast, contributes in any case (using OAuth terminology) some kind of software (client) who want to access data on the name of who has the right to grant such access (resource owner) is totally independent of, and unknown, software or service that actually stores these resources.

Q: Wait a minute! Something like this was possible before the year OAuth!

: Yes, but mostly meant to be just one of a network of co-operation already websites, or to give at least one of the usernames and passwords for all others. OAuth tries to close this security hole.

Q: You mean allowing access to what lies within an Internet account, without giving my password and username?

A: Suppose you have a comment on some blogs, and want the blog to post your Twitter name, to avoid typing. When you say the blogging software to do so (for example by clicking a button), it will send a request to Twitter, which includes an identification key and the list of data or services, it will have access to your account . Twitter (not blog) Will introduce you to an electronic form custom permission hosted on its server. If you connect successfully on Twitter and answer "yes" to this request, you approved Twitter to meet the demand of this blog. Without disclosing your password and username.

Q: Cool! What then?

A: Twitter will tell your browser to return to the blog, but with a special URL that contains a license key "access token" or single use. At the time blogging software will be able to present this token to Twitter, as proof that he is the one who just received your permission to do something for or with your account.

Q: What will work with all sites support OAuth, not only in Twitter?

A: Yes. As these sites do not reject the initial application, of course. Besides the convenience for the end user, another powerful engine of OAuth is the desire to make life more difficult for spam bots and other malicious applications.

Q: How do OAuth?

A: Regardless of user authentication, software works as described, if it has permission from the site, it wants to access. OAuth does this by using several identification keys or credentials in parallel.

Q: What are those powers and that the issues?

A: The one we have already mentioned, are those used to declare that access to certain program has not give your password to the so-called symbolic powers. Before getting to the point, however, the client sent to the server the client credentials valid.

In general, data from the web server itself. As developers of some of the programs you want to add features OAuth, are recorded on the server to obtain such power of attorney, or keys. This makes it a little 'easier to stop all malware, but also broke a lot of existing programs.

Q: You talk about websites. Does this mean that OAuth is a desktop software useless?

: Now it's a trick question. Technically there are no OAuth allows customers do not have a traditional desktop computer applications running inside your computer. In practice, we do (at least for OAuth 1.0) or makes life more difficult for developers in good faith, or the whole concept of the credentials of the client almost useless. Especially when you use open source software.

Q: Argh! Now that's bad, but why?

A: Because the system works perfectly as I described when customer identification is embedded in the source code and / or compiled programs that only run on a web server, where anyone can read the references in the source code, or the hex editor and use similar tools in executable files.

Q: Is that why the problem is even greater with the desktop software open source?

A: Exactly. If you write something that is expected to remain a private source that everyone has the right to download and study ... not private, by definition, right?

Q: Yes, but this makes the system less useful. Why OAuth also say that breaks existing software?

A: Because before OAuth 1.0, anyone with a basic knowledge of shell scripts and curl (! Including me) Could you, in minutes, wrap a script that automatically logs on to Twitter, read a calendar or send a tweet. OAuth is impossible without this validity, identification of the customer record. While these credentials are taking much longer to write the script in the first place!

Q: There is no way to mend their scripts?

A: Of course it is: just use one of the many software libraries that have already been registered. However, this always makes the scripts much harder to write and maintain what they were. Until OAuth 2.0 is out, at least.

Q: You mean there's a 2.0 version coming? When?

A: prognosis, whereas writing is that OAuth 2.0 should be completed by the end of 2011.

Q: What is new in the 2.0 OAuth? Does it solve these problems?

A: Maybe. One of the biggest changes is the addition or redefinition of some so-called "flow" to get the credentials in the most simple, even in scenarios where the clients are not web servers, but for example, software that runs on mobile devices. There is also a flow-based cookies that must make it possible to resurrect the old cURL based scripts web automation. There should also be a series of performance optimizations, because OAuth 1.0 does not handle very well.