Tuesday 12 March 2013

OAuth - An Overview


What is OAuth?

OAuth a.k.a RFC 5849 is Open Standard for AUTHorization.

First published on Dec 4 2007 , one of the fastest growing Open Web specifications.

In terms of OAuth.net ,

OAuth is an open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.

So, in short: You get the keys to use the authentication mechanism for some other API. The key is only till the place you Authenticate , with the OAuth Key you cannot do any thing else.
It is just like the valet key which comes with your car. With the Valet key you can drive the car to a small extent only and cannot use any other feature.

To make it more understandable , let me give another example.

In traditional Client Server Systems. The  user passes username and password to the server and server gives access/ denies the request based on validity of the user name and password.



Now a days there are so many websites , user is using mailing server , social networking , banking etc.

Now , if  a new user name and password has to be remembered for each and every site , it will be a real tiresome exercise for the user.

Now, suppose I use only one username and password for all my different setups then also it is a problem because in this case the data security becomes a question.

OAuth what it does is , it introduces a new tenant called resource owner. The client/user talks to the resource owner , resource owner takes cares of getting an authorization from the host and grants access to the user.
So , here in OAuth introduces a third role to this model: the identity provider comes to play along with client and the server.Here the server acts as the initiator of the authentication instead of the client.

The server contains the server resources and is completely unaware of the identities through the identity provider.

Got a very nice pic from msdn that depicts yet another way of implementing this.


1.The client submits an authentication request to the authentication broker.
2.The authentication broker contacts the identity store to validate the client's credentials.
3.The authentication broker responds to the client, and if authentication is successful, it issues a security token. The client can use the security token to authenticate with the service. The security token can be used by the client for a period of time that is defined by the authentication broker. The client can then use the issued security token to authenticate requests to the service throughout the lifetime of the token.
4.A request message is sent to the service; it contains the security token that is issued by the authentication broker.
5.The service authenticates the request by validating the security token that was sent with the message.
6.The service returns the response to the client.


So here in order for the client to access resources, it first obtains permission from the resource owner.  This permission is expressed in the form of a token and matching shared-secret.  The purpose of the token is to make it unnecessary for the resource owner to share its credentials with the client.  Unlike the resource owner credentials, tokens can be issued with a restricted scope and limited lifetime, and revoked independently.Once the tokens are issued the resources can be accessed independently.

Now that we have a better knowledge of OAuth. We will go along in next article to see how it can be implemented in .Net.

No comments:

Post a Comment