What is OAuth? Technology is close to our lives

Tram Ho

Translated from the article 実 は 身 近 な 存在? OAuth と は 何 か を 探 る

「OAuth」 – technology is indispensable

Surely many people will feel strange with the word OAuth. Because OAuth contains an Auth cluster, you probably have a rough idea that it is related to user authentication. But what about “O”? What does “O” mean? In the case of the formal name of an object or phenomenon composed of an acronym, it is natural to have trouble finding the original word.

So, let us first skip the search for the meaning of each single word that constitutes OAuth. Let’s find out where this technique is applied? Among the answers to this question, there is one answer so familiar that many people are surprised: The ability to connect between social networks.

Imagine if you posted a photo on Instagram and wanted it to appear on your Facebook page. At that time, you will perform the operation of registering a Facebook account associated with the Instagram account. After completing this registration, the photos you post on your Instagram page will also become Facebook posts. With Instagram, you can not only link with Facebook but also your account with other SNS accounts such as Twitter, Tumblr, etc.The main role for this link feature is OAuth.

“Auth” is not “Authentic”

In the case just mentioned above we of course have to perform user authentication on Instagram. So what about SNSs like Facebook and Twitter? Of course, the Instagram side does not own the credentials like the User ID, the password you use for your Facebook account.

For now, let’s review the origin of the word “Auth”. The word “auth” is actually not an abbreviation for “authentication”, but derives from “authorization” which means licensing. Authentification – Authorization, these are 2 similar words but 2 different words.

* “Authentication” means confirming who an object is. More specifically, authenfication is a noun that identifies the person about to perform the operation that is the user himself and not anyone else. *

Typical examples of Authentification are PINs or bank card passwords. Authentication with userID and password are bringing many benefits to people. In recent years, user authentication has become more secure and secure thanks to the appearance and universality of Biometric authentication.

So Authorization – What is licensing?

*** Licensing means giving the authorized person permission to do something, ie assigning permission to do it. ***

In the example above, an Instagram user passed certain procedures, allowing a Facebook user to automatically post his or her posts. The action taken here is to allow post operation to be performed, not to verify who the user is on Facebook.

As a result, users do not need to login on Facebook but can still post via Instagram. The example I give here is an example of an SNS link. However, in fact, the OAuth mechanism used is increasingly popular in Web applications.

Regarding the letter “O” in OAuth, even on the official website there is no explicit explanation, however, because OAuth is open standard, we can probably understand that O stands for Open.

Token used for authorization

There should be rules for granting permissions. Without any rules and regulations, an application can be attacked by a bad user and lead to unacceptable consequences. The rule here is the method of granting access tokens. Access token is a token that indicates that a request is allowed, acting as a key. This “key” is authorized by the server for the client application.

In fact, with OAuth 2.0 standardized according to RFC6749, the response to an access token request is standardized. Saying that OAuth is used in linking SNS is because it is a procedure for another application to get the desired information. Application server will receive access token via API, perform token analysis. If the request has been granted, the server will process and return the necessary information.

Relationship of OAuth and OpenID

Granting permissions using OAuth is convenient but not universal. The lack of a login function is provisional and unstable. Therefore, OAuth 2.0 is expanded, added authentication and get properties, becoming an ID binding method called OpenID Connect.

Here, note that OpenID Connect and OpenID 2.0 share a common name, but these are two different concepts. OpenID, officially called OpenID Authentication, is the sharing of user authentication via the Internet.

When a user simultaneously uses multiple applications and websites, managing multiple sets of userID information and passwords is very troublesome.

OAuth and OpenID are the techniques used to approach this purpose.

▼ Referenced link:

OAuth2.0 Official site: https://oauth.net/2/

RFC6749 The OAuth 2.0 Authorization Framework https://tools.ietf.org/html/rfc6749

Share the news now

Source : Viblo