Thursday, June 30, 2011

APIs and OAuth

OAuth (or Open Authorization) has become the norm these days. What is it ? In simple terms, it is a protocol that allows developers and third-party applications to use data on a server without giving away the password of the served user.

A little history about OAuth first ! Interestingly, as mentioned on Wikipedia, OAuth sprang from "Twitter OpenID implementation". Soon, this turned into a project in which people from some well known organizations such as Google were involved. Eventually, the draft for OAuth Core 1.0 was released in October 2007 and the protocol was published in April 2010.

So now where is this protocol used ? Pretty much every site that offers developers to access their data use this protocol. As Twitter and Facebook Applications become popular, so does this protocol.

So how does it work ? The basic idea is simple (as is for most great inventions), the developer registers his application with the data provider. The provider then generates a "Consumer key" and a "Consumer Secret key". These two strings need to be a part of the request sent by the application to request any data or authentication. When the user, through the application, tries to access his data, a URL is created which allows the application to be 'authenticated' by the user. Once the user accepts to authorize the application to access the data, a PIN (a string of numbers) is provided. Entering this PIN into the application allows the application to identify itself (along with the Consumer Key) and obtain an "Access Token". This access token (yet again a hashed string), is used by the application with each request. Obviously, this is just the basic idea of the protocol and a lot of numbers and parameters are introduced in order to make it more secure.

So, why is it better ? Or rather I should first answer, what is it better than ? Earlier, most websites like Twitter used "Basic Access Authentication". It required the user to give his username and password to the application for accessing its data. (Yeah, basic authentication was really basic ;-) ).  So, why is OAuth better ? It is better for applications as :-

  • Applications need not maintain the username and password of the user, which is a responsibility of the application (or developer). 
  • If the password is changed, the application would be rendered useless, unless it is reset in the settings.
It is better for the users as :-

  • User is not required to give away his or her password.
  • List of the applications authorized to access the data is available on the website. This allows the user to revoke access, especially to applications which are no longer used.
List of OAuth libraries for various languages can be obtained here.

No comments:

Post a Comment