To give you real world example, Assume I am connected to my Linkedin account and update my status, I wish the same status message to be published to my twitter account without login to twitter. Oauth allows me to publish my status update on Linkedin to my twitter account. Now I do not have to login to both(Linkedin & Twitter) to update the same status update.
Similarity, we have several other example which show how Oauth technology is being implemented among many social networking sites to give you a capability to share your data with other sites. Some of them are real examples :
1. I like to get my horoscope updates from an online horoscope website to my facebook wall every day.
2. I can share my pictures which are uploaded on facebook with an online printing service to get them printed & delivered to my home address.
3. I like to share the content/news/videos that I read on internet with my friends on my social networking site page.
Oauth is a federated identity technology which provide Open standard for authentication & authorization. It allows the user to share their personal data( eg. status messages, photos, videos, contact lists) from one site to other sites without explicitly providing the credentials.
I talked about a similary technology called OpenID in my previous blog, then how Oauth is similar or different than OpenID. The similarity lies with the the fact that both the technologies provides authentication framework from one site to other sites without explicitly providing the credentials however there are many significant difference between them. Oauth is complementary to OpenID and can be used & implemented in-lieu of OpenID for authentication. Some of the differences are as follow :
OpenID can only provides authentication method but Oauth provides authentication & authorization method both.
Expension to OpenID allows Relying Party to access user's attributes stored in OpenID provider with user's approval however, Oauth allows Client Application(aka Relying Party) to access user's private data(such as photos, videos, contact lists etc) with user's approval.
OpenID authentication works based on the OpenID URL where as Oauth authentication works based on Oauth token(valet key).
Oauth works on a concept called valet key. The idea of valet key comes from an additional key provided by luxary car manufactures. Some of these luxary cars comes with an additional key known as valet key that can start the iginition & opens the door but prevent gaining access to joyrides. So, if possess a luxary car and at many places handover your car for valet parking, you do not want your car to be used for joyride. So you provide your can with a valet key which can allow a valet parking helper to gain access to your car but prevent joyriding. This way you are allowing them to park you car on your behalf but at the same time preventing them to only drive for a limited distance.
Each technology uses its own terminoloy to explain the concepts & so as Oauth. I will be using below explained terminologies while explaining Oauth.
1. Resource Owner - A person/user who owns an account with one of its trusted Identity provider which supports Oauth
2. Client Application - A web application which provides it services online
3. Resource Server - A server at Identity provider's end that contains user's private data such as photos, videos etc..
4. Authorization Server - A server at Identity provider's end which implements authentication & authorization
2. Client application provides various Identity providers list which support Oauth protocol
3. User choose it preferred Identity provider, Client application redirect the authentication request to preferred Identity provider and user provides its credential.
4. Identity provider validates the user credential, and redirects the request to Client App. including authentication code.
5. User accesses the redirected Client App URL with authentication code
6. Client App. send this authentication code along with its Client ID & Client secret which it got during registering with the Identity provider intially.
7. Identity provider validates authentication code, Client ID & Client secret and returns a access token(valet key) which is a long lifetime token.
8. This completes the users authentication process & Client App logged in user.
:For those with inquisitive mind, I will soon come up with the Part -2 entry on this blog.. till then keep watching this space..