4

My understanding of OAuth (2.0) is that its a software stack and protocol to allow 2+ web apps to share information about a single end user. User A is a member of Site B and Site C; Site B wants to fetch some data from Site C about User A, and this is where OAuth steps in.

So first off, if this assessment is incorrect, please begin by clarifying this for me and correcting me!

Assuming I'm on the right track, then I guess I'm not seeing the need for OAuth to begin with (!). I'm sure I'm just not seeing the "forest through the trees" here, but the way I see it, couldn't Site C just expose a public API that Site B could use to fetch the same data (sans OAuth)? If Site C required user credentials to access the data, could this public API just use HTTPS for secure transport and require username/password as a part of each API call?

Again, I'm sure I'm missing something, but I'm just not understanding why I would need OAuth when a secure, public API written and exposed by Site C seems more than capable of delivering what Site B needs regarding User A.

In general, I'm looking for a set of guidelines to go by when deciding to choose between using OAuth for my web apps or just writing my own web service ( exposing public API).

Thanks in advance!

Improve this question
2
  • 1
    First problem: as a customer of site A who wants to allow site B to access some of my data from site A I won't give my password for site A to site B: I should never need to give my password to site A anyone except site A (and not even there, if it's avoidable).
    – Joachim Sauer
    Commented Jul 2, 2012 at 13:17
  • You got it almost right: essentially what you miss is that User A may want to give Site B only part of its data on Site C, or read-only access to this data, or revoke this permission at a later time. None of these things is doable if you just give away your password. Moreover, User A may want to change the password without revoking access to Site B. And for sure, he will not want Site B to be able to log him off. So here is where OAuth steps in. Of course, if the data is public, there is no need for OAuth and a public API is fine.
    – Andrea
    Commented Jul 2, 2012 at 14:39

3 Answers 3

Reset to default
11

OAuth is not about exposing an API. OAuth is about authorization: Is Site B allowed to access User A's resources.

Before twitter began implementing OAuth, it used HTTP Basic auth. That meant users had to give their credentials to third party websites / services to allow them to access their data. This means that the website now has unlimited access to the users data, and the only way to 'revoke' that access, is to change your password.

OAuth solves this problem by not giving the website the users credentials, but a token. That token gives them (possibly limited) access to a users resources, without having any password. If a user want's to block this website, it only has to revoke the token, and that website / service has no access anymore.

Improve this answer
2
  • No, OAuth is about authorization. OpenID is about authentication. Other than that, +1.
    – Aidan Cully
    Commented Jul 2, 2012 at 17:33
  • @AidanCully Oops, I meant authorization.
    – Ikke
    Commented Jul 3, 2012 at 5:53
4

OAuth is an open standard that does not require users to give their credentials away to several different sites. They only give their credentials to one site, then the other sites can authenticate their users with your site without asking for a username/password. You've already seen this benefit when logging into your account here.

You could implement your own custom solution, but that eliminates the benefits of using an open standard. Using an open standard allows two things:

  1. You can use other open source libraries to implement your own OAuth service rather than reinventing the wheel.
  2. You won't be forcing other people to write their own custom logic for authenticating with your site. It's better to allow people a familiar OAuth interface than to force them to learn another new API.
Improve this answer
2
  • Thanks @Phil (+1) - so is it fair to say that OAuth is used when the user wants to log in to 1 and only 1 site, but the site (behind the scenes) is actually sharing data about the user with other sites the user has accounts with?
    – herpylderp
    Commented Jul 2, 2012 at 13:41
  • From my limited understanding of OAuth, it is only used for authentication, not necessarily for sharing data. I could be wrong. However if sites do share data, OAuth is usually a big part of that.
    – Phil
    Commented Jul 2, 2012 at 13:47
1

In layman terms, if you are exposing an API, you will be asking the other site to pass username/password to your API so that you will verify those credentials and the user can start using the other site.

However, with OAuth the user does not give username/password or login credentials to the other site but directly to your site.

This is because it is a security breach for the other site to ask for login credentials from the user which actually belong to your site.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.