OAuth for Dummies

Tried googling OAuth and all you came across was lots and lots of technical jargon? And you want to figure out what OAuth really is? If that’s the case that brings you here, you’re in for a treat. :3

Lot of people confuse OAuth for a login flow, or an API, or a service but OAuth really isn’t any of those. It is simply a standard for authorization that ensures secure designated access. And while you’re reading this post, one other key point you should have on top of your head is that OAuth is about authorization and not authentication. What is the difference between the two you ask?

Authorization is asking the permission to perform a task where authentication is proving that you’re the same person you’re claiming yourself to be. Got it? Ayyyy!

Why do we even need Oauth?

We all know that the web security is a major concern in today’s world because we pretty much do everything over the internet and we cannot even take a slight risk of compromising our digital identity.

BUT, say for an instance, we require a service from some random application where the credentials of one of our accounts is needed. (Imagine you’re trying to edit a bunch of photos from an online editor where the photos are actually residing in your google drive) The easy peasy method to get the job done is the app prompting for your email and password and picking up the photos for you. But giving away your credentials to some random application you just came across is a big NONO.

This is where OAuth shows up to save the day. OAuth has a way to provide the client application with an access token that would allow the application to access the permitted resources. Confused much? Let’s break it down with a simple real life not-so-technical example.

This is Monica.

As you can see, she’s a cutie and all the boys in the town want to go out with her. Now Monica is at her office cricket match and wants to get her lunch.

So she walks up to the lunch stall and asks Johnny, the boy at the counter for her lunch.

Now this is Johnny and he’s a bit of a flirt. :(

Johnny goes “We only serve the office peeps so you need to prove that you’re from office and not some random girl passing by… Let me have your ID and I’ll verify with the office and get your lunch”.

Hmmmm… should our girl give away the ID to Johnny and take the risk of getting calls at 2 in the morning? Of course not!

So Monica walks to this other stall where her office security officer is, shows her ID and gets a lunch token. She then walks up to Johnny, gives him the token and gets her lunch. Hooraay! And Johnny doesn’t even get to know what Monica’s name is!!

This right here is somewhat similar to the principle driving OAuth. OAuth basically provides a client with access to a resource of a user without exposing the user’s credentials, thereby ensuring the security of the user. The flow of OAuth changes with the way this access token (lunch token in our case) is obtained. (These ways are called grant types and we’ll not discuss about them for now)

Hope you now have a basic understanding of what OAuth is. :)

Thanks for reading till the very end. ❤