Guillem Fernandez

About my job and my passion.

OAuth 2

What is OAuth 2.0

Considering the environment in which we develop our applications, not taking advantage of all data and services that are offered by the most important technology and services companies in the world, could result in a loss of opportunities. For the same reason, the fact that there is such a variety of services, the average user ends registering himself multiple times in multiple services, so each time you request a service from a user to register and fill in the relevant data is an occasion on which that user may be lost, so ideally the user would give us a place to go to find this information easily.

Services like Gmail, Facebook, Flickr, Twitter, etc … has available data and resources that can be interesting, but, how can we access them? As expected, ask a user to enter in our server or our App his data and password of a third-party service, when we are newcomers, is not the most convincing.

Initially each of these services created their own API acces authentication method, but this, as well as being a problem for developers, did not provide the necessary confidence between services and complicated the use of services.

Finally they decided to adopt as standard OAuth to provide access to resources that provide each of these services.

The OAuth enabled services can provide for example.

  • Access to the data as contacts, posts, etc …
  • Sharing of user activity in the service.
  • Accessing data stored as documents, images, etc …

Like many other resources, with the advantage that each of the resources provided separately may be enabled thereby controlling which of them to access and which not.

OAuth system works, to say it in a simple way, opposite of how we are used to. The user usually provides the correct username-password to accesse all service without restrictions, since the service is unable to distinguish from where the access is being made (not always but in most of the cases). While using OAuth, we invite the application to request access to use only those resources that allow the user desires.

The main advantages provided by this system are that, the sense of security is much higher because usernames and passwords of critical services are not stored by third party applications. The user has full control about which applications are allowed to use the resources of the service at any moment and he can revoke the access to it without affecting any other application. And finally that, changing the password of a service, does not affect the access of those third party applications.

How does OAuth work

Accessing an OAuth service depends on the way the app is accessing. It won’t use the same way to access from a client web application than from a server application or from a mobile app, but the essence is the same.

The steps to follow in order are:

  1. Register the App in the with the service provider to get a Client_id and a Client_secret.
  2. During the registration in most of the services you have to specify the type of app you are going to call from, as the flow contains a call to a response URL that in case of mobile Apps won’t be possible.
  3. Once registered, your App can offer access to the user. To do it, the App connects via an embedded web view with the service provider page sending in the header the info that identifies the App, that is the Client_id , Client_secret and the services the App wants to acces.
  4. The user is asked by the service provider to sign in and grant access to the requested services.
  5. On success, instead of redirecting to a URL the service will provide in the title of the page the “acceptance code”.
  6. This code has to be the exchanged for a Token and a Refresh Token accessing service provided by the service provider adding again in the header of the call the parameters to obtain the tokens.
  7. You can obtain a token that never expires or a toke with a limit life time and a refresh token that must be used when the token expires to obtain a new pair.

From this point it is just a question of requesting services from the service provider using the provided token.

It all can seem a bit confusing. If you are not technical people, don’t worry, “How does OAuth work” is not for you. If you are and want to know more, I’ll post an implementation for Objective-C in the following days.

I hope you’ve liked it and don’t forget to send me your comments though twitter or by email.