What is OAuth?
OAuth is an an emerging protocol for sharing information between applications without sharing passwords. Chances are good that you’ve already used Oauth but may not have been aware of it. (Palmolive – Madge, you’re soaking in it). OAuth is favored by social media sites such as Facebook, Twitter and LinkedIn and the broad ecosystem of applications that enhance those experiences. If you have ever allowed an application to access your Facebook data, OAuth is the protocol being leveraged behind the scenes to make that happen.
1. Should you even be concerned about OAuth?
The answer to this question is (drum roll please) it depends. If your business wants to cash in on or interoperate with social media in a meaningful way, then you you should definitely read on. If not, then thanks for reading this far, and take some time reading other articles on my site before departing.
2. How is OAuth different from Basic authorization standards?
In a word, passwords! Basic authentication requires applications to store and transmit username and passwords to work. For many use cases, this is just fine. However, if your application interacts with other external web API’s then Basic Authentication is not advised for two reasons: 1. managing user name and passwords to access services is difficult and clumsy to manage and 2. the potential for security breaches. On the other hand, OAuth only requires that a user merely grants access rights to your data without passing username and password information. In this way, if you change your password, all your linked applications will continue to work.
3. Is OAuth Safe?
It depends, OAuth can be just as safe as other authentication protocols, but you really need to know the spec, enforce and control access, and secure the communication channel. The best and most secure method for utilizing OAuth is to use an API Server.
4. What makes OAuth so unique?
In nutshell, User Managed Access. Basically, OAuth gives the application end-user the power to control whether to accept, or reject authorizations to share information or integrate to 3rd party systems, without passing user passwords.
5. Where can you learn more about OAuth?
I suggest that you start at the source: http://www.oauth.net I have to add one caveat, with the case of this specification it’s important to note that newer or the latest spec doesn’t always mean better. Since the spec is constantly evolving, new release could actually introduce unfavorable changes that you’ll need to stay on top of. Another source is Vordel, we are helping many enterprise customers safely move to the API universe.