What is OAuth? How does OAuth Work?

OAuth uses access tokens to grant temporary access to third parties. The tokens are typically used short term, but some can grant recurring access.

Think of the separate valet key you would give to a valet when parking your car. The valet key is not the same as the main key because it only gives the valet limited access to your car. A valet key will not open the trunk or a locked glove box, so the valet cannot access any personal, valuable items. Some valet keys have further limitations, such as allowing the car to only be driven a certain number of miles.

An OAuth token functions the same way. A website or service is provided a different valet key and never has the "main" key to access any of the private data or credentials contained in the main key. 

Let us have a look at how OAuth authorizes access. Assume a user has already signed in to a website or service, and now the user wants to initiate a transaction that needs access to a third-party site or service. The authorization process follows the steps below: 

1. The application requests authorization to access a protected service provider.
2. The user authorizes the request.
3. The application provides proof of user authorization to the service provider in exchange for an access token. 
4. The user is redirected to the service provider to provide permission.
5. Once approved by the user, the application obtains the access token.
6. The application requests access to the protected resources from the service provider.

The greatest benefit of OAuth for a website, such as a news, community, or e-commerce site, is that authenticated website access can be extended to an unlimited number of additional users without those users creating new accounts requiring an email address and a new password. Open authorization reduces friction for both parties. Websites can scale, and users do not have to create yet another online account. 

Further, there is more security. When a user joins a website by signing in with Facebook, for example, if that website becomes the target of a cyberattack, users who logged on with OAuth will not have their credentials exposed or stolen.

OAuth 1.0 and 2.0 are completely different and surprisingly not compatible. Version 1.0, now deprecated, was designed specifically for websites. It was considered complicated and did not scale. Version 2.0, on the other hand, provides authorized access to application programming interfaces (APIs) and encrypts the tokens in transit, so there is no need for encryption at the endpoints.

OAuth 2.0 was designed to be more interoperable between sites and devices. It also has token expiration, which did not exist in version 1.0. Although versions 1.0 and 2.0 are not compatible, a website can actually support both versions. The creators of version 2.0 intended for websites using version 1.0 to completely replace it with version 2.0. 

Other frameworks, protocols, and security technologies exist to manage authentication, authorization, and identity. Let us have a look at two others: OpenID and SAML.

If OAuth is for authorization, OpenID is for authentication. Created in 2005 to log in to LiveJournal, one of the early blogging websites, OpenID was adopted as a way to sign in with the same username and password across multiple sites. 

Ironically, in a way, internet users do this anyway. When prompted to create a new username and password for a website, they often default to the same credentials they have used repeatedly with other sites. While this helps them to remember their credentials, the practice can also leave them vulnerable to cyberattacks. Physically typing credentials into a website that are also used for multiple other sites increases the chances of malicious actors intercepting sensitive user data. 

In a man-in-the-middle attack, cyberattackers use Wi-Fi eavesdropping or session hijacking to steal credentials, in hopes to gain entry into other websites.

Eventually, the developer community lost their enthusiasm with OpenID, especially as Facebook and its soon-to-be-ubiquitous "Sign in with Facebook" capability started spreading throughout the internet. However, rather than completely retiring OpenID, the developers released a reinvented version in 2014 as an authentication layer for OAuth. With this new version, OpenID and OAuth complement each other. 

The Security Assertion Markup Language (SAML) is another technology often discussed in the same context as OAuth. SAML is a protocol that allows an identity provider (IdP) to forward a user's credentials to a service provider (SP) to perform both authentication and authorization for that user to access a service. SAML uses Extensible Markup Language (XML) to standardize communications between various systems. 

Because open authorization only performs authorization, an SP would need an additional authentication layer, like OpenID, to perform authentication. SAML can provide single sign-on (SSO) functionality on its own.

SAML is older than the other framework protocols and because it is more often used in enterprise applications, the developer community sought to create a more lightweight and consumer-facing framework, especially as consumers increasingly access sites and applications using different endpoints, both personal and corporate. OAuth uses the more lightweight JSON open standard file format, which also performs better on mobile, for encoding data. 

With all of these technologies, note that it is not an either-or scenario because businesses can use all three solutions to achieve different goals.