oAuth Explained With An Example
The problem with using more and more social networks is with every social network you join you need to create profile then invite friends. There is no way to carry your data from one network to another network with out a hitch. Few smart people have already started working on this issue of DataPortability in detail. So lets not worry about it.
In the mean time few web apps have given users an opportunity to share the data. Take an example of adding all your Gmail contacts into Orkut. Login to Orkut and then enter your gmail id/password to invite all your contacts. This seems OK since both Gmail and Orkut is owned by the same company. Your id/password *does not* leave Google.
Where as the same model is used by LinkedIn to add your professional contacts. You need to give your userid/pw details of gmail/hotmail to add the contacts. This doesn’t seem OK even with their promise of privacy and purpose.
Now how would you achieve this with out sharing the credentials?
An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. oAuth is not not a new concept. It is similar to your Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming API, Flickr API, Amazon Web Services API but more open and not proprietary.
How is it more safe?
Think you are a couchsurfer and you have a guest at home. You feel good to have a guest at home and you want him to enjoy his stay. Since your and your guests timings are not matching you like to give him key of your home. So he can manage when you are not around.But this key is a special key and not your regular (master key) key. With this key your guest can enter your home and kitchen but not your bedroom. oAuth works on similar principles.
How does oAuth work ?
Lets not get into dry details of protocol. Lets see how the protocol works with an example flow. The case study includes social bookmarking sites magnolia and delicious. Their interaction with Nsyght.
Nsyght pulls your bookmarks from your delicious and magnolia accounts and creates a search engine out of it. To pull the bookmarks on daily basis it needs to log into your magnolia/delicious account. For which you either need to share the credentials or implement oAuth. Lets see how its done.
Delioious doesn’t implement oAuth hence for Nsyght to pull your bookmarks it needs your userid/pw. Nsyght stores your userid/pw for future use.
Lets see how ma.gnolia does this. Magnolia has oAuth implemented. At Nsyght just click authorize.
Here magnolia is the service provider and Nsyght is the consumer. Nsyght sends a request to magnolia to authorize the request.
Magnolia will force you to login. Ma.gnolia uses another standard OpenId for login feature. Once you login to magnolia using correct userid/pw then it will take you to authorize page.
Where you can authorize Nsyght to access the your magnolia bookmarks. Once done it returns to Nsyght.
Now at Nsyght you can see that your Nysght account as been authorized to access your magnolia bookmarks. And your Nsyght account doesnt need any other details for accessing your magnolia accounts.
For a developer this is more complex. The oAuth protocol exchanges oAuth keys for authorization between the service provider and consumer. Where consumer can have limited access to the resources using oAuth access keys. If you are a developer you need to read oAuth Spec to get more details or wait for my next blog post.