What is OAuth? Definition and How it Works (2024)

Table of Contents
What is OAuth? SAML vs. OAuth Beyond SSO: Singular Security from Varonis OAuth Examples OAuth Explained How OAuth Works OAuth 1.0 vs. OAuth 2.0 Other Resources FAQs

We’ve talked about giving away your passwords and how you should never do it. When a website wants to use the services of another—such as Bitly posting to your Twitter stream—instead of asking you to share your password, they should use a protocol called OAuth instead.

It’s important to understand how a program, website, or app might authenticate you as a user – do they have the right permissions? Have you granted them some sort of way of verifying who you are – and accessing data on your behalf? OAuth helps streamline this process: but even with automation, always be aware of how a person or company uses (or stores) your data.

What is OAuth?

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it’s OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. This minimizes risk in a major way: In the event ESPN suffers a breach, your Facebook password remains safe.

OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

SAML vs. OAuth

SAML (Security Assertion Markup Language) is an alternative federated authentication standard that many enterprises use for Single-Sign On (SSO). SAML enables enterprises to monitor who has access to corporate resources.

There are many differences between SAML and OAuth. SAML uses XML to pass messages, and OAuth uses JSON. OAuth provides a simpler mobile experience, while SAML is geared towards enterprise security. That last point is a key differentiator: OAuth uses API calls extensively, which is why mobile applications, modern web applications, game consoles, and Internet of Things (IoT) devices find OAuth a better experience for the user. SAML, on the other hand, drops a session cookie in a browser that allows a user to access certain web pages – great for short-lived work days, but not so great when have to log into your thermostat every day.

Beyond SSO: Singular Security from Varonis

Oauth/SAML helps with who is accessing your network but you need Varonis to complete the picture of what they're doing and what sensitive data they're accessing.

See Also
Auth0 OverviewIntroduction to Auth0What is user authentication, and why is it important? | NordVPN

Find out how Varonis helps complete the authorization -> access picture now:

OAuth Examples

The simplest example of OAuth in action is one website saying “hey, do you want to log into our website with other website’s login?” In this scenario, the only thing the first website – let’s refer to that website as the consumer – wants to know is that the user is the same user on both websites and has logged in successfully to the service provider – which is the site the user initially logged into, not the consumer.

Facebook apps are a good OAuth use case example. Say you’re using an app on Facebook, and it asks you to share your profile and pictures. Facebook is, in this case, the service provider: it has your login data and your pictures. The app is the consumer, and as the user, you want to use the app to do something with your pictures. You specifically gave this app access to your pictures, which OAuth is managing in the background.

Your smart home devices – toaster, thermostat, security system, etc. – probably use some kind of login data to sync with each other and allow you to administer them from a browser or client device. These devices use what OAuth calls confidential authorization. That means they hold onto the secret key information, so you don’t have to log in over and over again.

OAuth Explained

OAuth is about authorization and not authentication. Authorization is asking for permission to do stuff. Authentication is about proving you are the correct person because you know things. OAuth doesn’t pass authentication data between consumers and service providers – but instead acts as an authorization token of sorts.

The common analogy I’ve seen used while researching OAuth is the valet key to your car. The valet key allows the valet to start and move the car but doesn’t give them access to the trunk or the glove box.


An OAuth token is like that valet key. As a user, you get to tell the consumers what they can use and what they can’t use from each service provider. You can give each consumer a different valet key. They never have the full key or any of the private data that gives them access to the full key.

How OAuth Works

There are 3 main players in an OAuth transaction: the user, the consumer, and the service provider. This triumvirate has been affectionately deemed the OAuth Love Triangle.

In our example, Joe is the user, Bitly is the consumer, and Twitter is the service provided who controls Joe’s secure resource (his Twitter stream). Joe would like Bitly to be able to post shortened links to his stream. Here’s how it works:

Step 1 – The User Shows Intent

  • Joe (User): “Hey, Bitly, I would like you to be able to post links directly to my Twitter stream.”
  • Bitly (Consumer): “Great! Let me go ask for permission.”

Step 2 – The Consumer Gets Permission

  • Bitly: “I have a user that would like me to post to his stream. Can I have a request token?”
  • Twitter (Service Provider): “Sure. Here’s a token and a secret.”

The secret is used to prevent request forgery. The consumer uses the secret to sign each request so that the service provider can verify it is actually coming from the consumer application.

Step 3 – The User Is Redirected to the Service Provider

  • Bitly: “OK, Joe. I’m sending you over to Twitter so you can approve. Take this token with you.”
  • Joe: “OK!”

- Bitly directs Joe to Twitter for authorization>

This is the scary part.If Bitly were super-shady Evil Co. it could pop up a window that looked like Twitter but was really phishing for your username and password. Always be sure to verify that the URL you’re directed to is actually the service provider (Twitter, in this case).

Step 4 – The User Gives Permission

  • Joe: “Twitter, I’d like to authorize this request token that Bitly gave me.”
  • Twitter: “OK, just to be sure, you want to authorize Bitly to do X, Y, and Z with your Twitter account?”
  • Joe: “Yes!”
  • Twitter: “OK, you can go back to Bitly and tell them they have permission to use their request token.”

Twitter marks the request token as “good-to-go,” so when the consumer requests access, it will be accepted (so long as it’s signed using their shared secret).

Step 5 – The Consumer Obtains an Access Token

  • Bitly: “Twitter, can I exchange this request token for an access token?”
  • Twitter: “Sure. Here’s your access token and secret.”

Step 6 – The Consumer Accesses the Protected Resource

  • Bitly: “I’d like to post this link to Joe’s stream. Here’s my access token!”
  • Twitter: “Done!”

In our scenario, Joe never had to share his Twitter credentials with Bitly. He simply delegated access using OAuth in a secure manner. At any time, Joe can login to Twitter and review the access he has granted and revoke tokens for specific applications without affecting others. OAuth also allows for granular permission levels. You can give Bitly the right to post to your Twitter account, but restrict LinkedIn to read-only access.

OAuth 1.0 vs. OAuth 2.0

OAuth 2.0 is a complete redesign from OAuth 1.0, and the two are not compatible. If you create a new application today, use OAuth 2.0. This blog only applies to OAuth 2.0, since OAuth 1.0 is deprecated.

OAuth 2.0 is faster and easier to implement. OAuth 1.0 used complicated cryptographic requirements, only supported three flows, and did not scale.

OAuth 2.0, on the other hand, has six flows for different types of applications and requirements and enables signed secrets over HTTPS. OAuth tokens no longer need to be encrypted on the endpoints in 2.0 since they are encrypted in transit.

Other Resources

Hopefully, this was a good primer to get you familiar with OAuth so the next time you see “Sign-in with Twitter” or similar delegated identity verification, you’ll have a good idea of what is going on.

If you want to dive deeper into the mechanics of OAuth, here are some helpful links:

What is OAuth? Definition and How it Works (2024)

FAQs

What is OAuth? Definition and How it Works? ›

OAuth, or open authorization, is a widely adopted authorization framework that allows you to consent to an application interacting with another on your behalf without having to reveal your password. It does this by providing access tokens to third-party services without exposing user credentials.

Read On
What is OAuth and how does it work with examples? ›

OAuth is an open-standard authorization protocol or framework that provides applications the ability for “secure designated access.” For example, you can tell Facebook that it's OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password.

Discover More Details
What is OAuth 2.0 in layman's terms? ›

OAuth 2.0 enables the resource owner (i.e., the user) to give the client (i.e., the third-party application) access to their data without having to share their credentials. Instead, the credentials are shared with the authorization server, which issues an access token to the client.

Continue Reading
How does OAuth work in the rest API? ›

To make REST API calls to your identity domain, you need an OAuth2 access token to use for authorization. The access token provides a session (with scope and expiration), that your client application can use to perform tasks in an identity domain.

See Details
What is the difference between OAuth and standard authentication? ›

The primary difference between these standards is that OAuth, now known as OAuth 2.0, is an authorization framework used to protect specific resources, such as applications or sets of files, while SAML and OIDC are authentication standards used to create secure sign-on experiences.

Find Out More
What is the difference between SSO and OAuth? ›

With OAuth you don't give the user access, rather the user gives you permission to access another app on their behalf. With SSO, you give the user access to your app. Use OAuth if: You're building an app that needs to access or modify users' data on another app.

Tell Me More
Why do we need OAuth? ›

It allows the user to log into one app or site and then use those same credentials to sign in to other apps or sites without entering any new information. This way, OAuth authentication can be used for single sign-on across multiple services.

Show Me More
Why is it a bad idea to use OAuth 2.0 for authentication? ›

The purpose of OAuth2 Tokens is to authorize requests at a first-party server (or API). If the third party uses the OAuth2 Access Token as proof of authentication, an attacker could easily impersonate a legitimate user.

Explore More
What is the difference between OAuth and API? ›

OAuth security tokens offer exceptional access to user data.

OAuth security tokens excel at enabling developers to manage user data. Whereas standard API key security practices struggle to handle write permissions mixed in with individual user authorizations, OAuth is designed to do just that.

Continue Reading
Why is OAuth better than basic authentication? ›

It's like choosing a secure, encrypted message over a shout across a crowded room. OAuth offers that essential layer of security and control, wrapping user credentials in a layer of armor that Basic Authentication simply can't match.

Show Me More

Does OAuth require username and password? ›

OAuth provides a more secure way for users to share information with trusted third-party apps without sharing their credentials (username and password). The user grants access by clicking an approve button within the app or website that wants access to the user's data.

Read The Full Story
What is an example of OAuth2? ›

OAuth 2.0 allows users to share specific data with an application while keeping their usernames, passwords, and other information private. For example, an application can use OAuth 2.0 to obtain permission from users to store files in their Google Drives.

See Details
Why is OAuth not authentication? ›

Authentication is ignored in OAuth2 and OIDC because it is a separate concern. This allows OAuth2 and OIDC to focus on the nitty gritty details of getting the resource owner to the authorization server as well as generating access and identity tokens.

Get More Info Here
What is a real life example of OAuth2? ›

A real life example

Here the Authorization Grant flow is now transferring you on the Twitter website where you are asked to enter username and password. You don't have to share your Twitter username and password with LinkedIn. You are just authorizing LinkedIn to do some stuff for you.

Continue Reading
What is the difference between API and OAuth2? ›

API keys can be an easy way to enforce some authentication, while OAuth is more sophisticated with more options. Here are some of the benefits of OAuth2 over the API key: Access token is tied to a specific user, not an app.

View More
What is an example of access token authentication? ›

Access tokens are used in token-based authentication to allow an application to access an API. For example, a Calendar application needs access to a Calendar API in the cloud so that it can read the user's scheduled events and create new events.

View Details
What is an example of authentication and authorization? ›

Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity. Then, when you arrive at the gate, you present your boarding pass to the flight attendant, so they can authorize you to board your flight and allow access to the plane.

See More
Top Articles
How Your Income Affects Credit Card Applications | The Motley Fool
Investments
Chs.mywork
Aberration Surface Entrances
Joliet Patch Arrests Today
Was ist ein Crawler? | Finde es jetzt raus! | OMT-Lexikon
T Mobile Rival Crossword Clue
Davante Adams Wikipedia
Retro Ride Teardrop
Dr Lisa Jones Dvm Married
Lycoming County Docket Sheets
Steve Strange - From Punk To New Romantic
Draconic Treatise On Mining
123 Movies Black Adam
Bustle Daily Horoscope
Iron Drop Cafe
William Spencer Funeral Home Portland Indiana
104 Whiley Road Lancaster Ohio
Panorama Charter Portal
Saatva Memory Foam Hybrid mattress review 2024
Great Clips Grandview Station Marion Reviews
Boston Dynamics’ new humanoid moves like no robot you’ve ever seen
3 2Nd Ave
Elbert County Swap Shop
A Christmas Horse - Alison Senxation
Jail Roster Independence Ks
Darktide Terrifying Barrage
Wisconsin Volleyball Team Leaked Uncovered
Kaiser Infozone
Jeep Cherokee For Sale By Owner Craigslist
Fedex Walgreens Pickup Times
Autotrader Bmw X5
Serenity Of Lathrop - Manteca Photos
Craigslist Red Wing Mn
Indiana Wesleyan Transcripts
oklahoma city community "puppies" - craigslist
2024 Ford Bronco Sport for sale - McDonough, GA - craigslist
New Gold Lee
Instafeet Login
Ticket To Paradise Showtimes Near Regal Citrus Park
Conroe Isd Sign In
Stewartville Star Obituaries
Weather Underground Cedar Rapids
Wilson Tire And Auto Service Gambrills Photos
Random Animal Hybrid Generator Wheel
Reli Stocktwits
Assignation en paiement ou injonction de payer ?
Where Is Darla-Jean Stanton Now
Metra Union Pacific West Schedule
Southern Blotting: Principle, Steps, Applications | Microbe Online
Www Extramovies Com
Latest Posts
What is the Difference Between Crypto Lending and Crypto Staking?
How to Report Income on Your Credit Card Application - NerdWallet
Article information

Author: Edmund Hettinger DC

Last Updated:

Views: 6081

Rating: 4.8 / 5 (58 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Edmund Hettinger DC

Birthday: 1994-08-17

Address: 2033 Gerhold Pine, Port Jocelyn, VA 12101-5654

Phone: +8524399971620

Job: Central Manufacturing Supervisor

Hobby: Jogging, Metalworking, Tai chi, Shopping, Puzzles, Rock climbing, Crocheting

Introduction: My name is Edmund Hettinger DC, I am a adventurous, colorful, gifted, determined, precious, open, colorful person who loves writing and wants to share my knowledge and understanding with you.