OAuth is a free protocol that allows access to resources on another website without disclosing login credentials (username and password) to the website where the access to those shared resources is needed (images, videos, email, bank accounts, etc.) It is basically a key or a badge for a visitor, which has more restricted access to the personal resources on a website than if they were accessed directly from that website. Just like a key for service staff that would only allow access to certain rooms of buildings and for a limited time.
Understanding the OAuth protocol is based on knowing the following terms:
1. Resources – are the private objects of a user to which selective access is desired by other websites or applications.
2. The Service Provider – is the one in charge of all the aspects of the protocol implementation, the one that will provide access to the resources that he has in his administration, to other clients.
There can be a photo storage website that gives access to other websites for taking pictures stored by a particular user. It can be a website that stores all the contacts (name, email, phone, address, etc.) of some users. It can be, in general, any service that offers the storage of selective and private information. As a rule, this service provider offers his services on the basis of an enrollment and authentication, using a username and password.
3. User – is the one for which this protocol was invented. The user has resources within a service provider (images, videos, contacts, messages, etc.) who doesn’t want to make them public but who wants to use them on other websites. He is the one who decides which website will grant access to his own resources.
4. Consumer – is the website from which you want to access the resources of your service provider.
5. The token – is the identifier through which the service provider will communicate with the consumer. Based on it, it will know what resources and whose user should be shared.
So, let’s assume that we have an account on the AAA website where we have some images stored since the last trip. We want these images printed using an online service. In this situation, the service provider is AAA because it has some resources that we want to share using the OAuth protocol to a printing services website. To get the images stored on AAA, we can download them manually and upload them to the photo print website. But it would take too long. The photo print website offers us to take over automatically on our behalf. For this, we will need to provide the email address and password for the website to request on our behalf the list of photos we have on AAA. The problem of security and trust lies with those who print our pictures: by providing the password, it can be stored on their servers, and someone badly intentioned can create damages. Here comes OAuth. The process of obtaining information from AAA without disclosing the password to websites other than AAA is as follows:
1. Access the website of the consumer, in our case the one who will provide us with print services.
2. We find the information about how they are willing to take pictures from the AAA website on our behalf.
3. Accesing AAA, a safe place, we can authenticate ourselves with email and password.
4. After authentication, AAA we will redirect us back to the website where we started (the image print website) and provide it with a token.
5. Using this token, the photo print website will make requests in our behalf to AAA to access the photos to be printed.
The token is a unique, secure code that helps ensure that only images in our account are accessed for a limited time.