Morioh
Login
Eldora Bradtke

Eldora Bradtke

3 years ago

OAuth is one of those technologies that is almost as widely misunderstood as it’s used. In this article, let’s strip away the jargon and really understand how the technology behind OAuth actually works.

First of all, as you can guess from the name, OAuth has something to do with Auth. But does auth mean authentication or authorization? Well, the short answer is — OAuth is meant for authorization, not authentication. More importantly, OAuth was originally created not for a service to authorize a person. It was meant for a service to authorize another service. Now why on earth would a service need to be authorized?

Did you know: The “Auth” in OAuth is for authorization, not authentication!

When two services talk

Let’s take a classic example of a photo printing service. You must have seen websites like this. You provide them an image file and you pay them to ship printed photos to your address.

Imagine you are starting a new photo printing business. You build a website that lets people upload photos and order prints online. Now, here’s the thing. Nobody keeps photos on their machines anymore. They use the cloud! And so you keep getting feature requests to provide users the ability to import their photos from somewhere like Google Drive and then print it directly from there, without the users having to download them and upload again.

Image for post

Okay, that’s a fair ask. Now what do you have to do to implement an Import from Google Drive feature for your application? You need to connect to the user’s Google Drive account and access their files. But wait! How can your application do that? The user’s files on Google Drive needs the user’s Google authentication. How can you write code for your website that can authenticate with Google on behalf of your users?

Well, here’s something you can do. You can ask the user for their Google ID and password. Your app could say:

“Hey user, do you want me to print your photos on Google? Well, Google doesn’t give me access. So, here’s this screen where you enter your Google ID and password. Give them to me, and I’ll login to your Google account and access your photos and print them”.

Image for post

Do you think users will hand your photo printing service their Google ID and password? They don’t trust you! What they want to give you is access to just certain photos. They don’t want to give you access to their whole Google drive and email and everything else. Your service might pinky-promise that it’ll access just their photos, but there is no guarantee! So, while this works in theory, this is not practical.

Now you might say — Google Drive has a share feature! You can ask the user to share the files out and then provide the shared link to your service. But there are problems there too. What if the users don’t want to share files out to anyone. Also, what if it’s a different scenario where sharing isn’t an option? For example, think of a scenario where your service wants to access the user’s contacts to send app invites? There’s no way you can ask the user to share their address book. Such a feature doesn’t even exist! So, how do you have a third party service authorize with a service like Google without your user providing it their credentials?

#oauth #javascript #jwt #jwt-token #oauth2

How the technology behind OAuth actually works

medium.com

How the technology behind OAuth actually works

Let’s strip away the jargon and understand how the technology actually works. OAuth is one of those technologies that is almost as widely misunderstood as it’s used. In this article, let’s strip away the jargon and really understand how the technology behind OAuth actually works. First of all, as you can guess from the name, OAuth has something to do with Auth. But does auth mean authentication or authorization? Well, the short answer is — OAuth is meant for authorization, not authentication.

1.20 GEEK