OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
Quiet confused isn’t it? Lets discuss this with a simple example..
You got to know that there is Internet problem at your house.So,you call the Internet Service provider Customer care.
They send you a person.Now,you give your house keys to that person and leave to office for some urgent work.
You are now taking a risk..
You need to trust the person for,
1)He should not take away the things at your home
2)He should not make copies of the keys and distribute to his friends
3)He now knows you by face and can use the keys to enter into your house
This is a simple analogy to the problem where user shares his credentials of his gmail/facebook/twitter or any accounts with some third party website, so that the third party website can access his gmail/facebook etc to place some updates.
This is where OAuth comes to sort out the issue…
Oauth gives the access to the third party to only the stuff the user wants them to use in his gmail/facebook/twitter etc.
In Oauth,Password is not shared.
So,With Oauth ,its now like ,
You got to know that there is Internet problem at your house.So,you call the Internet Service provider Customer care.They send you a person.Now,you give a special key which can open only one room and which will restrict access to rectify only the Internet connection problem.You can anytime get back the special keys from the person.
Now you handover the special keys to the person and leave to office for some urgent work.
You now can have a great relief,because..
1)He can not take away the things at your home
2)Even if he makes copies of the keys and distribute to his friends,its of no use.And anytime you can get back the special keys.
This is the analogy of how Oauth works..
1)You want a thirdparty to access your facebook by posting Weather updates in your Timeline
2)You are not going to share your facebook username and password to the thirdparty
3)First,the Thirdparty redirects you to your facebook after you enter your username and password(Note that you are not entering in thirdparty website.You are actually entering credentials in your facebook.)
4)Now facebook asks you,whether you are fine that the thridparty accessing your facebook for posting in your timeline on weather updates
5)You give Grant access.This is the stage where access token is generated
6)The Access token is shared with the Thirdparty
7)From then on,the Thirdparty can use the AccessToken to enter into your facebook and post the weather updates in your timelines
What if the thirdparty tries to post some sports news?
Access denied error will be thrown for the thirdparty as it is restricted only for Weather updates.This is defined in Access token.
What if the AccessToken is hacked by some other website from the thirdparty?
Since it is not your passwords,the thirdparty cannot misuse your facebook account.However,it will be still able to post Weather updates in your timelines (whatever the thirdparty was allowed to do).
Hence,you can deny access to that Thirdparty anytime by getting into your settings page.
Now… go back to the first two lines of this post and read again..
Loved the analogy! Thanks for sharing this
ReplyDelete