Pages

OAuth Simplified

In my earlier post we saw what is SAML. Basically it works on the HTTP i.e. for webpages and etc. 
But what if you wanted have SSO on an app, for example on a Mobile App? There are work arounds to implement SAML but the straight forward way of doing it would be to use OAuth, a recent boy in neighbourhood which unlike SAML which is older than 6 years, is designed considering the future, of native apps and mobile apps. 

As usual the definition is 



OAuth is an open standard for authorisation. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorise third-party access to their server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.

Please observe the definition, it says Authorisation and not Authentication!


What it means is that if you have an app on your phone and would like it be able to 


OAuth 2.0 is a relatively simple protocol. To begin, you register your application with Google. Then your client application requests an access token from the Google Authorisation Server, extracts a token from the response, and sends the token to the Google API that you want to access.


From Googles doc we see this

OAuth 2.0 is a relatively simple protocol. To begin, you register your application with Google. Then your client application requests an access token from the Google Authorization Server, extracts a token from the response, and sends the token to the Google API that you want to access.



So its basically a user trying to use a web or a standalone mobile or desktop app, which first requests permission from Google servers, and once the user approves this app, the app can fetch resources from the service provider .

One very nice def to lookup is in here.

This is what OAuth does, it allows you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User). 

At this point in time I would like to give some relief to those who haven't understood it still, relax, seems like Oauth will be obsolete soon.