Lately, I will like to do a dig up on the understanding of Oauth. Oauth is getting gain on popularity, as more and more vendors are opening up their api access to third party access. Nowadays, Twitter, Facebook, Flickr, Google etc services are already using this to work with their API access.
What basically does OAuth do? Based on my understanding, to put it simply, it is mainly an authentication mechanism that you can use to bridge between the vendor site and the third party access. It is important to note that with OAuth in place, in users’ perspective, it is helps to reduce the security fear of having users to input their credentials onto the third party site. While in the developers’ perspective, you can reduce the redundancy of duplicating data, and extract whatever context that is required for your website.
The Idea of it is that,
- User is trying to access his/her content on the vending site, e.g. photos, data, etc via a third party access
- Vendor site will check if the third party site already has token, and if it is expired?
- If third party site already has a token, and not expired, it will return the requested content. [ End of Story]
- If third party site does not have any token or if the token has expired, the user will be required to login to the vendor site to authorized the request.
- Vendor site will create a authorization code. And then response with a HTTP redirect, a callback, and the newly granted authorization code passed along.
- With the authorization code, the third party site can now access the token. [Repeat Step 3]
Overview of OAuth:
http://hueniverse.com/2007/10/beginners-guide-to-oauth-part-i-overview/
Using OAuth with Twitter:
http://www.jaisenmathai.com/articles/twitter-php-oauth.html
Here’s a user demo experience from the Frontend view of how OAuth works:
http://hueniverse.com/2007/10/oauth-end-user-experience-demo/
For a more detailed explanation, and ease of reference I have embedded a series of youtube videos (4 parts) on the Backend flow of using OAuth.