Introduction: What is OAuth?


OAuth is an authorization protocol to secure web, mobile and desktop applications. It is set of rules that allow a third party website or application to access a user’s data without the user needing to share login credentials.


OAuth is a way to authenticate users – to ensure a user is who he says he is. The protocol was designed to bypass problems with the sharing of user credentials in distributed and Web 2.0 environments. With OAuth, resources stored on one website can be shared or accessed by a user once he is authenticated via OAuth. There is no need for the user to create a new account on the website and, at the same time, the website is not privy to the user’s credentials.


How does it work?


OAuth operates much like a client/server computing model, where a primary website storing the user resources acts as a server and the website or application accessing that data is a client. The primary website establishes an OAuth interface (otherwise called an API) and secret key for the requesting website as a means of establishing a session to validate the user. Once the user requests access to the data or resources of the client website, he or she takes a side trip and is forwarded to the login procedure of the primary website, at which time the user provides his or her login credentials. Upon successful authentication there, an authorization token is sent from that primary website to the requesting website as an acknowledgment of authentication – allowing the user the access of data or other resources originally requested.


Real Time scenario:


We often come across following login method in most of the website on a daily basis.



This is the Login Screen of XYZ website. Here user has the option to provide his credentials or login using existing account with Facebook, Google or Yahoo. If user chooses to use facebook, he can avoid passing his credentials in XYZ website.


Flow of OAuth Authentication

OAuth Flow


Advantages of OAuth authentication


Authentication that doesn’t require the user’s login credentials has many advantages:

• Security: When developing an application, you don’t need to worry about the confidentiality of the user’s credentials. The login and password are not sent to the application, so they can’t get into the wrong hands.
• User loyalty: Users are more likely to trust an application when they are sure that their personal data is not vulnerable to unauthorized access. Since the application doesn’t have the user’s login and password, it can only access personal data exactly as the user authorized, and nothing more.
• User convenience: Users who are already signed into Facebook, do not need to re-enter their login and password. Not having to enter credentials frequently is a real benefit for mobile users.



Technical Architect