OAuth explained with real life example.
OAuth is a word which you might have heard many times while playing on internet. Ever wondered how this works or how this came into existence?
Few years earlier before OAuth, the authorization of a user on a website was done typically assigning a unique id and user-selective password. But now a days, you also see the dialogue box identical to below one along with the so called typical sign up method :
What is it??
- Officially it is stated as : “OAuth is an authorization framework that enables a third-party application to obtain a limited access to an HTTP service.”
- OAuth is an open standard protocol for authentication that allows a user to use Internet service functions, such as those provided by Facebook or Twitter, within other applications (desktop, web, mobile, etc.)
So after reading above couple of points, some noobs may fall into confusion that how does this works.
Consider the following example.
We ‘ll use analogy of real life to explain OAuth.
Analogy terms :
Mother : User of the application.
Father : User’s signed up account site.( OAuth provider )
Son : Third party client , aka owner of the application.( OAuth client )
Imagine that your mom wants some grocery from market and she wants you to buy it for her.
Here’s the conversation which will explain you the meaning OAuth in layman terms :
Mother : Hey son, go to market and bring me some caffeine. Take the required money from your father.
Son : Okay.
>>(Son( our third party site ) goes to father( OAuth provider ).)
Son : Hey dad, Mom told me to take money from you since she wants some things from market.
>>(Father( OAuth provider ) asks mother( User ) about the permission to give money to their son( OAuth client ))
Father : Hey, Shall I give him money ? and how much? ( Authorization of your application takes place here. )
Mother : Yes, give him. ( Permission grant by mother aka ‘User’ )
>>( Son gets the required things from market and returns them to mom )
>> Here returning things to mother can be thought of redirecting the user( or logging him in specifically ) to the third party site.
Here’s a good video explaining how the OAuth works :-
So basically when a user grants permission to the third party website( OAuth client ), Your OAuth provider( facebook, twitter, linkedin, github, etc ) provides a so called “ code ”. Specifically, it is a string which is used by the third party client to fake the OAuth Provider that the ‘ User ’ has grant permission to access some info of his account. As a result, the user gets logged in to the Third party website.
Once you authorize the third party site through your OAuth Provider, what happens on every successive login??
Next time when you want to log in to the website, then your previous access token is exchanged so as to get a new one with a ‘ POST ’ request. In this way, you don’t need to go through all the process above on every login.
Here’s a simple flow to what happens in the whole process :
Once you authorize the app, the following process occurs :
Thus the user gets logged in.
So that’s it! If still it doesn’t strike you, ask me your doubts in comments.
Thanks for reading! If you think this post was useful, please clap for the post to help to promote this piece to others.
Please support my work by buying me a cup of coffee! 😄