Everything You Need to Know About OAuth/OAuth 2.0 API Authentication
We all know that you shouldn’t share your email or password with a website you don’t trust. But, thanks to web authorization protocols like OAuth, this safety concern is no more. With OAuth, people can now use website and app services using access tokens (and not sensitive credentials), all while streamlining the end user experience.
If you are keen to learn more about how OAuth works, keep reading. We’ll look into what OAuth is, how it works, and its benefits to both the end-users and developers.
What is OAuth?
OAuth is a secure web protocol that allows users to approve an application or website to interact with another application or website without giving away their login credentials (email and password).
For example, some websites will allow you to log in via Google, meaning you can access the website without sharing the password to your Google account with that website.
This is all possible thanks to OAuth. The first version of this technology, OAuth 1.0, was released in 2007. However, it had some shortcomings that led to the second version, OAuth 2.0, in 2013.
For example, with OAuth 1.0, users were redirected to open their browser to the desired service, authenticate with the service, and copy the token from the service back to the desktop or mobile app they were trying to access. This affected the experience of users, especially while using desktop and mobile applications.
OAuth 1.0 also required the client service/application to have cryptography, which is not the case with OAuth2.0. Most of the applications now use OAuth 2.0 to request access to useful information on accounts like Facebook and Google that they already own. If you were worried about the drawbacks that come with using OAuth 1.0, worry not because chances are all the app you are using on your pc and mobile device now use OAuth 2.0.
How OAuth Works
There are three main parties involved in the OAuth transition: the client, the consumer (resource server), and the service provider (the application already that has the user information, such as Google), where sometimes this is referred to as the “OAuth Love Triangle”.
Let’s look at how OAuth works using this simple example.
In our example, Tom is the user, our web application is the consumer, and Google is the service provider.
Tom wants to access our web app but is unwilling to share his password with an unknown service like us, while we don’t want the burden of protecting Tom’s sign in information. So instead, we give Tom the option to sign in via Google, meaning Tom can quickly sign up without the need for a password, and we don’t need to worry about storing his information.
Here’s how it happens. We have integrated Google’s OAuth API into our application, and when Tom signs up, we make a request to Google for an access token to see his first and last name.
When Google receives this request, it will ask Tom to approve whether he wants our app to use some of his Google information while using their platform. If Tom approves, he will be redirected back to our app, and the account will be created, with his first and last name already filled out for him. The access tokens that we have received only gives us access to the specific information that Tom has allowed, in this case, just his basic identifying information.
Now how does the process of exchanging tokens and permissions occur? Well, it’s a lot of back and forth in the “OAuth Love Triangle”, so here is an over-simplified version of how it works:
- Tom contacts our server, showing intent to use our service via Google.
- We contact Google asking for a request token to see Tom’s basic information.
- Google responds with a request token and a secret. We will use this secret to sign any requests to avoid any request forgery attempts.
- We redirect Tom to Google so he can approve our request for his information.
- Tom approves the request, and Google marks the request token as approved.
- We then request and access token in exchange for our approved request token, making sure to include the secret in our request.
- We get an access token to Tom’s account from google, and only for the data he has approved.
Why is OAuth Important?
OAuth is one of the significant security-focused protocols to have come on the web in a long time.
1. Save time while accessing new websites and apps
One of the things that many internet users find tedious is creating an account on a new website or application. Many users will opt not to use a particular web app or site if it requires a lengthy signup process. However, with OAuth, one can sign into a new app or website in less than a minute, since no detailed user information is required.
For the apps, this is also a win. Think of all the potential users they would have lost if they hadn’t added the sign-in option using popular platforms like Google, Facebook, and Apple.
2. It saves users the anxiety of worrying about their data
Data broking has become a very common practice on the web, where companies sell user data to other companies or individuals without their consent. Now that it’s possible to sign into a website without giving them your email, users are less worried about their data being traded to unauthorized third-party companies or individuals without their consent.
So, if you don’t trust a website’s privacy policies, but you want to use their services, you can now sign up through OAuth API without sharing critical information about yourself. Plus, the OAuth APIs from most of these companies are free, so developers can integrate them into their apps without paying a penny.
3. More freedom to the user regarding the data they want to share
OAuth allows users to only share the information they want to share between different apps. While signing into any application using an already existing account on another app, you are given the option to choose which data you want the app you are signing into to access. That means the app is not given full access to all your user information.
Which Sign-in Option Should You Use?
If you’re an app developer, it’s best to add the sign-in options your target users are likely to use. For instance, if you are a developer for iOS applications, the “sign-in with Apple” option is a must, because these users are highly likely to trust Apple than the other available options, the same goes for Google sign in on Android.
Another aspect to look at is improving the user experience beyond just the signup and login pages. The available data from using sign in options from Facebook, Twitter and LinkedIn are invaluable for any application that needs to build a profile of a new user. In this day and age it’s actually quite an inconvenience to enter your demographic information when you sign up to a new service, users expect to have that information filled out for them, which is achievable by fully utilizing the correct sign-in providers.
Determine the accounts used by the majority of your target users and add those sign-in options to make it easier for them to log into your application.
Drawbacks with OAuth
OAuth is not without its faults. Overall, it has two major drawbacks.
1. You’re one data breach away from a mess
On the user side, if you choose to log in with Facebook and your Facebook account gets hacked, the hacker now has access to all of the accounts you login to using Facebook. To overcome this, we recommend using two-factor authentication on the main accounts that you use to sign into other apps.
Most of these popular platforms like Facebook, Google, and Apple allow their users to enable two-factor authentication.
2. You are relying on a single company’s security
On the developer side, if you choose to sign into any account using Google, Facebook, or Apple, your fate entirely relies on the security of these companies. In the unfortunate event that / the company you trusted has a security breach in its servers, your user base may lose access to all of the apps connected to that account until these servers are restored.
Final Remarks
OAuth is one of those security protocols that have made the life of internet users much easier. One doesn’t have to constantly create accounts with different websites, especially those they don’t trust. With just one primary account, a user can possibly sign up to hundreds of apps without inputting any of his personal information. This seamless sign-in process is a win for both users and app developers.
If you’re looking for an easy way to implement your company’s OAuth process, consider Broadcom’s OAuth Toolkit, an all-in-one OAuth solution for web and mobile APIs. This highly efficient solution delivers a centralized point for implementing OAuth.
Key features include: a personalized, full-featured authorization server that supports all grant types, enables seamless integration with popular identity and access management (IAM) and SSO tools and features a user-friendly Admin screen for client and token management. The OAuth Toolkit is part of a full life cycle API solution by Broadcom that makes it easy to manage APIs and OAuth deployments. Contact us today to learn more about OAuth.
- On October 25, 2021
- 0 Comment