What is OAuth?

OAuth, or open authorization, is a widely adopted authorization framework that allows you to consent to an application interacting with another on your behalf without having to reveal your password. It does this by providing access tokens to third-party services without exposing user credentials. 

OAuth's main value is that it provides applications with secure designated access so that users can engage with the secure portions of a website without the need to create a new account with new credentials. 

Let us say you want to tweet a story you are reading on CNN.com. When you click on the tiny blue bird icon on the CNN.com article's webpage, a window will pop up asking you to log in to Twitter. By logging in to Twitter at that moment (or perhaps you are already logged in), you are telling Twitter that it is okay for CNN.com to post on your Twitter feed without providing CNN.com your Twitter password.      

This is not only convenient but also prudent because you do not need to create an account with CNN.com just to post to Twitter. Additionally, should CNN.com experience a breach, your Twitter password remains safe.

Instead of sharing password data, OAuth uses authorization tokens to prove an identity between consumers and service providers, such as Twitter, Facebook, and Google. Most users are blissfully unaware of what is going on in the background. As such, from a user experience perspective, OAuth delivers much-needed functionality for users needing to engage with different services that require sign-on.

How OAuth Works

OAuth is about authorization and not authentication—and yes, there is a difference. Authentication is proving your identity so that you can gain entry to an application or system. Authorization is asking for and receiving permission to access specific data, features, or areas of that application or system.

OAuth has nothing to do with authentication. The "auth" part of its name stands for authorization, not authentication. OAuth does not pass credentials between users and service providers and instead only authorizes secure access in the form of temporary tokens. 

Like in the example above, using the OAuth protocol, CNN.com will know your Twitter username but not your Twitter password.

OAuth Tokens

OAuth uses access tokens to grant temporary access to third parties. The tokens are typically used short term, but some can grant recurring access.

An analogy that might better explain OAuth is to think of the separate valet key you would give to a valet when parking your car. The valet key is not the same as the main key because it only gives the valet limited access to your car. A valet key will not open the trunk or a locked glove box, so the valet cannot access any personal, valuable items. Some valet keys have further limitations, such as allowing the car to only be driven a certain number of miles.

An OAuth token functions the same way. A website or service is provided a different valet key and never has the "main" key to access any of the private data or credentials contained in the main key. 

OAuth Flow

Let us have a look at how OAuth authorizes access. Assume a user has already signed in to a website or service, and now the user wants to initiate a transaction that needs access to a third-party site or service. The authorization process follows the steps below: 

  1. The application requests authorization to access a protected service provider.
  2. The user authorizes the request.
  3. The application provides proof of user authorization to the service provider in exchange for an access token. 
  4. The user is redirected to the service provider to provide permission.
  5. Once approved by the user, the application obtains the access token.
  6. The application requests access to the protected resources from the service provider.

The greatest benefit of OAuth for a website, such as a news, community, or e-commerce site, is that authenticated website access can be extended to an unlimited number of additional users without those users creating new accounts requiring an email address and a new password. OAuth reduces friction for both parties. Websites can scale, and users do not have to create yet another online account. 

Further, there is more security. When a user joins a website by signing in with Facebook, for example, if that website becomes the target of a cyberattack, users who logged on with OAuth will not have their credentials exposed or stolen.

OAuth 1.0 vs. OAuth 2.0

OAuth 1.0 and OAuth 2.0 are completely different and surprisingly not compatible. Version 1.0, now deprecated, was designed specifically for websites. It was considered complicated and did not scale. Version 2.0, on the other hand, provides authorized access to application programming interfaces (APIs) and encrypts the OAuth tokens in transit, so there is no need for encryption at the endpoints.

OAuth 2.0 was designed to be more interoperable between sites and devices. It also has token expiration, which did not exist in version 1.0. Although versions 1.0 and 2.0 are not compatible, a website can actually support both versions. The creators of version 2.0 intended for websites using version 1.0 to completely replace it with version 2.0. 

The Differences Between OAuth, OpenID, and SAML

Besides OAuth, other frameworks, protocols, and security technologies exist to manage authentication, authorization, and identity. Let us have a look at two others: OpenID and SAML.

If OAuth is for authorization, OpenID is for authentication. Created in 2005 to log in to LiveJournal, one of the early blogging websites, OpenID was adopted as a way to sign in with the same username and password across multiple sites. 

Ironically, in a way, internet users do this anyway. When prompted to create a new username and password for a website, they often default to the same credentials they have used repeatedly with other sites. While this helps them to remember their credentials, the practice can also leave them vulnerable to cyberattacks. Physically typing credentials into a website that are also used for multiple other sites increases the chances of malicious actors intercepting sensitive user data. 

In a man-in-the-middle attack, cyberattackers use Wi-Fi eavesdropping or session hijacking to steal credentials, in hopes to gain entry into other websites.

Eventually, the developer community lost their enthusiasm with OpenID, especially as Facebook and its soon-to-be-ubiquitous "Sign in with Facebook" capability started spreading throughout the internet. However, rather than completely retiring OpenID, the developers released a reinvented version in 2014 as an authentication layer for OAuth. With this new version, OpenID and OAuth complement each other. 

The Security Assertion Markup Language (SAML) is another technology often discussed in the same context as OAuth. SAML is a protocol that allows an identity provider (IdP) to forward a user's credentials to a service provider (SP) to perform both authentication and authorization for that user to access a service. SAML uses Extensible Markup Language (XML) to standardize communications between various systems. 

Because OAuth only performs authorization, an SP would need an additional authentication layer, like OpenID, to perform authentication. SAML can provide single sign-on (SSO) functionality on its own.

SAML is older than OAuth and OpenID, and because it is more often used in enterprise applications, the developer community sought to create a more lightweight and consumer-facing framework, especially as consumers increasingly access sites and applications using different endpoints, both personal and corporate. OAuth uses the more lightweight JSON open standard file format, which also performs better on mobile, for encoding data. 

With all of these technologies, note that it is not an either-or scenario because businesses can use all three solutions to achieve different goals.

How IAM Can Strengthen Your Authentication Protocols

The Fortinet identity and access management (IAM) solution allows IT administrators to securely confirm the identities of both users and devices as they enter the corporate network. The Fortinet IAM, which includes FortiAuthenticator and FortiToken, enables organizations to control and manage identity to ensure that the right users are connected to the right devices, applications, and systems at the right time, all while protecting against unauthorized access. 

Further, Fortinet SSO solutions support modern authentication methods, such as OAuth and SAML.