Tons of websites and apps need a minimum amount of your data before you can use them. In the example above, Canva is asking for our name, profile picture, and email address — likely for authentication.
Even though Facebook can provide the data Canva needs, Canva still needs our permission to access the data from Facebook. A solution would be for us to give Canva our Facebook password — but that brings with it its own slew of privacy issues.
Instead, we allow Facebook to share the required data with Canva — making the required data transfer possible as well as preserving our personal information. This feature is known as OAuth.
Open Authorization, or OAuth, is a way for us to give apps limited access to our user data without having to give away our password. Developers know OAuth as a standard that apps (like Facebook) can use to give client applications (like Canva) secure delegated access.
Big companies like Amazon, Google, Facebook, Microsoft, and Twitter use OAuth all the time so you can use your accounts with them to share information with the third-party apps you use — such as games, apps, or other websites. This makes it much simpler for you to keep your accounts in-sync across various platforms.
Below is a technical definition of OAuth taken straight from Wikipedia.
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.
– OAuth, Wikipedia
So let’s break down this definition into simple English.
There are 5 keywords here that can help us understand:
Open standards are publicly available technical standards that can be freely adopted, implemented and extended. In our case, anyone can adopt, implement, and extend OAuth however they like.
Access delegation is when somebody delegates (or entrusts) access to someone else. Your parents could delegate to you access to their house by giving you a copy of their house key.
Access tokens are basically keys that give you temporary, secure access somewhere. You can think of these like passwords or a key to your parents’ house.
Resources are data which you provide access to. In the example above with Facebook and Canva, Canva is asking for the following resources — your name, profile picture, and email address. Since Facebook has these resources, they are the resource owner.
Third-party clients are the ones whom you delegate access to. In most cases relating to OAuth, the third-party client is the application asking for resources from the resource owner. In the example above, Canva is the third-party client.
OAuth 2.0 is the 2nd version of OAuth. It came out in October 2012, 5 years after OAuth 1.0, which came out in December 2007.
While OAuth 1.0 was developed primarily for websites, OAuth 2.0 was a major upgrade which could be used by both websites and apps. It also allowed for a greater variety of access tokens. Overall, OAuth 2.0 is easier to work with and is much more flexible.
Several platforms still use OAuth 1.0, but the majority of the world has moved on to OAuth 2.0, which is what most people think of now when you say OAuth.
Yes. OAuth is safe. In fact, it is one of the safest third-party authorization protocols out there. But since the user is technically giving away private information to a third party (something we’ve been told never to do), it is natural to question the safety of OAuth.
However, it should be noted that OAuth only lets the third-party take information that the user agrees to give out — no more, no less. In most applications of OAuth (such as when logging in to a website using Facebook), the third-party client clearly states which information they need from the user. If the user agrees to giving away sensitive information, then the user has voluntarily put themselves at risk — like signing a contract without reading it first.
The entire reason OAuth exists is to protect as much of the user’s information as possible. By keeping your password secret and giving away only the necessary information, OAuth prevents your passwords from getting compromised.
OAuth also protects your information if someone attacks the third-party client. For example, if you give Twitter access to your Facebook data via OAuth and Twitter gets hacked, your Facebook data stays completely safe.