OAuth (Open Authorization) is a specification for client applications to access protected resources on behalf of a user. It was developed as an alternative to users handing out their login credentials to third-party applications.
Description
OAuth is an open standard for authorization. OAuth provides client applications a 'secure delegated access' to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner, or end-user. The client then uses the access token to access the protected resources hosted by the resource server. OAuth is commonly used as a way for web surfers to log into third party web sites using their Google, Facebook or Twitter passwords, without worrying about their access credentials being compromised.
OAuth is a service that is complementary to, and therefore distinct from, OpenID. OAuth is also distinct from OATH, which is a reference architecture for authentication, not a standard.
Resources
- RFC 5849 - The OAuth 1.0 Protocol. The RFC is the stable and recommended specification to implement, it is based on the obsolete OAuth Core 1.0 Revision A specification.
- RFC 6749 - The OAuth 2.0 Authorization Framework. This specification replaces and obsoletes the OAuth 1.0 protocol described in RFC 5849.
- "OAuth Code Library Support". on Google Groups
- Basic protocol workflow. Explanation of the OAuth "dance".
- OAuth resources. A good walkthrough of the OAuth 1.0 specification. OAuth libraries. An overview of various OAuth implementations in different languages.
- Key differences OAuth 1.0/2.0. An answer to a stackoverflow question asking for the differences between OAuth 1.0 and 2.0.
