What is Oauth?
OAuth is an open standard protocol for authorization that allows a user to use Internet service functions, such as those provided by Facebook, Twitter and Yahoo, within other applications (desktop, web, mobile, etc.).
According to its official site:
OAuth is an authorization framework that enables a third-party application to obtain a limited access to an HTTP service.
Confused with Definition, check below diagram:
Here I will explain you what this image is all about. Let’s say we have a client web application (in image it is “Game”). In client application there is a button which says “Login With Facebook” (or it can be any system like Gmail, Yahoo). When you click, it will redirect you to the authenticating application (Facebook in our example). The User then logs into authenticating application, and is asked if he wants to grant access to her data, the user accepts the request and the game application accesses facebook data on behalf of user.
Don’t get confused with Oauth and login. Let me explain that both things are different. Lets see using a real life example.
Assume we have a company where employees gain access to its building using their employee identification card. Now assume that a guest (that is external entity) needs to visit the company. If login stands for an employee accessing the building through ID card, OAuth stands for a guest receiving a visitor card which have limited access and accessing the building. See the following example.
- An external Guest G says to the reception desk that he wants to meet Employee E for business purposes.
- The reception desk notifies Employee E that Guest G has come to visit him.
- Employee E comes to the reception desk and identifies Guest G.
- Employee E records the business purpose and identity of Guest G at the reception desk.
- The reception desk issues a visitor card to that External Entity that is Guest G.
- Employee E and Guest G go to the specified room to discuss their business.
I gave this example to help you understand the procedure of issuing OAuth and the authorization. The visitor card allows guests to access pre-determined places only which means that a person with a “visitor card” cannot access all the places that a person with an “employee ID card” can access. In that way, a user (here company’s employee having employee ID card) who has directly logged into the service can do more than a user who has been authorized by OAuth.