OAuth

OAuth is a system that allows users to have two different applications communicate with each other on the user's behalf without having to tell the applications the user's password. You have doubtless used this system many times, but you may not know it. For example, some commenting systems let you log in with your Facebook or Google+ account. This is done with OAuth.

How Does OAuth Work?

Imagine that you have a WordPress blog and you want it to automatically tweet out an announcement each time you publish an article. So you use the plugin WP to Twitter. Rather than telling the plugin your Twitter password, you use OAuth.

You start by telling WP to Twitter that you want it to post tweets using your account. So WP to Twitter goes to Twitter and asks for permission. Twitter gives WP to Twitter a token, which it then gives to you along with the instructions to go to Twitter and authorize the request. Once you do that, WP to Twitter can post tweets for you.

A Brief History of OAuth

In 2006, Twitter was in the process of implementing OpenID — a widely used system that allowed users to have a single ID that they could use to log into many different accounts on the internet. But it did not have open standards that would allow an access delegation API to be built. So they started working on OAuth, which would allow developers to create applications that would request and grant access to specific aspects of websites.

The initial specification, OAuth 1.0, was released in 2007, but it was not official until 2010. Although it was a very useful system and was widely used, it was not well designed for certain uses including its use with mobile devices. So in 2012, OAuth 2.0 was released. The two versions are not compatible. But OAuth 2.0 is more secure and is designed with "authorization flows" for different kinds of devices including phones and even appliances.

Controversy

Eran Hammer was one of the main people involved in the development of OAuth 1.0. He was also involved in OAuth 2.0, but shortly before its official release, he broke with the project. And he was so unhappy with both versions of OAuth (which you can see in a talk he gave that is not safe for work) that he created his own replacement, Oz.

Overview of OAuth

Before trying to add OAuth in your own applications, it is a good idea to get a general overview of the system.

Getting Started With OAuth

OAuth isn't a development platform. It is a tool that you will use as part of some other application. For example, you wouldn't want to write a program that can only accesses a user's Facebook account. You would want to do that for some reason. So if you are reading this page, you must have some application that needs the capabilities of OAuth to run like the blog tweeting plugin we discussed above.

General Introduction

Here are some general introductions:

  • OAuth 2 Simplified: Aaron Parecki's overview of the development process in a general sense.
  • OAuth Coding Examples: various examples in many different languages.
  • Read the Docs Sample Code: general code samples as well as some for specific services. Includes examples for:
    • Bitbucket
    • GitHub
    • Google
    • Facebook
    • LinkedIn
    • Tumblr

Specific Services

Generally, using OAuth depends upon the service that you want connect to. Most services have their own quirks and extensions. So below we have included tutorials for a number of popular services:

Advanced OAuth Coding

After you get the basics of OAuth down, there are a number of ways you can continue to learn.

Books

If you really want to get serious about OAuth, you should probably get a book about it. There are a number of them that provide a thorough introduction to it.

Online Forums

There isn't much available in terms of general online forums regarding OAuth. In general, forums focus on specific services.

OAuth Tools

A number of services provide tools to facilitate OAuth.

Libraries

See oauth.net for a more complete list of libraries. Here are extra ones including some for OAuth 1.0:

Going Forward

Since OAuth is not an end in itself but a tool to allow you to add greater power to your programs, you are likely to learn it by doing. We've presented a lot of resources here to get you started and allow you to dig into the system. How you use it is up to you.