What is OAuth and how does it work?

OAuth is an open-standard authorisation protocol or framework that makes designated access for applications possible. Since OAuth relies on token authorisation, all user passwords remain safely protected.

OAuth

OAuth (Open Authorisation)

OAuth is an open-standard authorisation protocol or framework that facilitates designated access for applications. With OAuth, external websites can access a user’s social media profiles to post updates to the profile.  Instead of relying on credentials, OAuth utilises HTTPS in conjunction with access tokens to authorise devices, APIs, servers, and applications. Since the OAuth authentication protocol lets users approve interactions between applications without sharing passwords, all social media passwords remain safely protected. That means if external services are the victims of cybercrime, the user’s profile and credentials remain safe.

Enterprises rely on OAuth to protect partner and customer APIs as well as internal clients using private cloud models. Prior to OAuth, the only option was a direct authentication pattern i.e. HTTP Basic Authentication, which relies on a username and password for authentication and authorisation. Although this is still used as a form of API authentication for server-side applications, users send an API key ID and secret instead of a username and password to the server for each request. Before the OAuth protocol was developed, websites would login to user’s data (or accounts) after users had entered their sensitive username and passwords, a process often referred to as the password anti-pattern.

The OAuth standard was borne of a desire to give users more control over authorisation permissions without having to provide their social media login credentials There are two versions of OAuth: OAuth 1.0a and OAuth 2.0. They are completely distinct and function independently of one another without any backwards compatibility.

The OAuth 2.0 protocol supports a number of different client types that rely on access REST APIs. This includes applications running on enterprise web servers and communicating with the cloud as well as applications on user mobile devices. The OAuth protocol is able to support distinct  client types by defining multiple mechanisms for obtaining a token, with each unique mechanism acknowledging client type restrictions. OAuth 2.0 has a number of valuable features. For example, OAuth 2.0:

  • Facilitates the reading of user data from another application.
  • Supplies the authorisation workflow for web, desktop applications, and mobile devices.
  • Acts as a server side web app that relies on authorisation code instead of interacting directly with user credentials.
  • Gives users greater control over their data by allowing them to grant access to various functionalities when using an application.

Benefits of OAuth

There is a broad reliance on OAuth in most company APIs, which makes it a wise choice for an authorisation protocol. Furthermore, there is a range of ready-made solutions that can be adapted to individual needs and OAuth can also handle multiple requests and address a number of users at once. There are also a number of other reasons why companies choose the OAuth authorisation protocol, including:

  • its reliance on Secure Sockets Layer (SSL), which ensures data security between web server and browsers. SSL also ensures data remains private between the web server and browsers. Furthermore, SSL relies on industry-standard cryptography protocols to protect data and prevent data breaches.
  • its implementation of tokenisation to provide limited access to user data. For example, token IDs are used to denote sensitive data like credit card numbers and security codes stored on consumer websites. That means retailers receive tokens rather than the actual sensitive data.
  • its easy approach to strong authentication. For example, tokens can be revoked if need be (e.g. suspicious activity is detected). It also facilitates the integration of two-factor authentication and can be used with single sign-on.
  • its use of HTTP / HTTPS to access resources, with tokens indicated in the header. This makes it possible to integrate OAuth in almost any solution, including mobile and desktop applications, websites and platforms, and even in browser plug-ins.

How Does OAuth Work?

As mentioned, OAuth 2.0 makes it possible for applications to access and exchange data without sharing user credentials. It does this by remotely storing sensitive data and assigning it a token ID. This way, retailers and third parties can verify tokens when conducting transactions instead of directly accessing sensitive data like credit card numbers, medical records, bank account information, etc.

With OAuth 2.0, access requests can be initiated by a client (mobile app, website, desktop application, etc). Thereafter, the token request, exchange, and response takes place:

  • The client requests access (from the authorisation server) by supplying the client id and secret as a form of ID. It also designates the scope and an endpoint URI (redirect URI) where the access token or authorisation code should be sent.
  • The authorisation server authenticates the client and verifies whether the scopes requested are permissible.
  • The resource owner communicates with the authorisation server to grant access.
  • The authorisation server redirects back to the client with an authorization code or access token, depending on the type of access granted (details in the next section). A refresh token may also be provided.
  • The client uses the access token to request access to the resource from the resource server. 

SAML vs. OAuth

SAML (Security Assertion Markup Language) is an alternative federated authentication standard used by numerous enterprises for single sign-on (SSO). SAML lets enterprises monitor who has access to corporate resources.

There are several differences between SAML and OAuth. SAML uses XML to transmit messages while OAuth uses JSON. OAuth allows for a simpler mobile experience while SAML is aimed at enterprise security. This is a key differentiator. Since OAuth relies extensively on API calls, it provides a better user experience for mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices. In contrast, SAML inserts a session cookie in a browser, thereby granting users access to certain web pages. While this is great for short-term use, it is not ideal for regularly accessed devices like IoT light bulbs and other smart home devices.

SAML not only supports single sign-on, but also attribute query route authorisation. OAuth, on the other hand, is frequently forced to perform authentications (e.g. for social login functions) although it is primarily focused on authorisation. As such, OAuth2 does not support SSO.

SAML defines a token format with complicated encryption, with the size of exchanged messages being a significant factor. By contrast, OAuth2 neither relies on message encryption (but rather on HTTPS) and nor does it define a token format.

OAuth2’s appeal rests in its simplicity and flexibility. It can be used in mobile devices, smart devices, web apps, single-page apps, etc. There are many available libraries, which facilitates integration with different client types and service providers. SAML, however, was not intended for modern applications. As such, it is more difficult to use with these systems and is instead more commonly used with traditional web apps.

FAQ about OAuth

What Is the Purpose of an Access Token in OAuth 2.0?

orange-plus orange-minus

An access token is a string that represents the permission granted to the client by the resource owner. The client uses the access token to access the protected resource on the resource server.

Who Can Use OAuth?

orange-plus orange-minus

OAuth is an open protocol that can be used by many companies and organisations that need a secure and standardised way to authorise applications and access protected resources. Typically, OAuth is used by companies and organisations that need to provide an API and control access to user data or resources. OAuth can also be used by third-party app and mobile app developers to gain access to protected resources from users, provided the user has given consent.

Is OAuth Secure?

orange-plus orange-minus

OAuth is a widely used protocol that allows applications and services to securely access users' resources without having to provide the user's credentials directly to the requesting application.

OAuth itself is a security-aware protocol based on proven security mechanisms such as encryption, token-based access and authorisation.

How Can Phishing Attacks on User Data Be Prevented?

orange-plus orange-minus

It is important that applications and services using OAuth are implemented and configured securely to ensure the safety of user data. Users should also ensure that they use trusted applications and services and do not grant access rights that are not necessary.