What is OAUTH ?, And How it Works?

OAUTH (Open Authorization) is a widely use user Authentication system for API (Application Programming Interface).

Generally, OAuth provides to clients a "secure delegated access" to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with Hypertext Transfer Protocol (HTTP)

So, What Is OAUTH ?

OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. This mechanism is used by companies such as Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.

It is an open standard for token-based authentication and authorization on the Internet.

It allows an end user's account information to be used by third-party services, without exposing the user's password. OAuth acts as an intermediary on behalf of the end user, providing the service with an access token that authorizes specific account information to be shared. The process for obtaining the token is called a flow.

Its come in 2 version OAUTH 1.0 and OAUTH 2.0

OAuth 2.0 differs from OAuth 1.0 by a great extent, however both were meant to address the same problem.

OAuth 2.0 manages to address it with greater ease (for developers and Client Applications), and well defined framework with lesser confusion and greater flexibility and options, also OAuth 2.0 is completely a new protocol and is not backward compatible with OAuth 1.0

OAUTH 1.0

Security is ensured with the use of cryptography (especially Digital Signatures).

All requests to server would be signed by the client secret provided by the Authorisation service (ex. Facebook, Google)

Before signing all request parameters would be sorted and encoded (this annoyed developers as it increased overheads of implementation and debugging also resulted in complex client side implementation).

However if your using it over SSL (HTTPS) you have an option of using "PLAINTEXT" as an OAuth Signature method, which would save you the hassle of all the crypto computing.

OAUTH 2.0

Cryptography was done way with. Security delegated to transport layer (SSL).

Proper Roles were defined- Client (App), Authorization Server, Resources Server(API server), Resource Owner(User) etc.

Introduction of Refresh Tokens.

It also provided for greater flexibiilty and options by various Grant Types.

How OAUTH Works ?

Working of oauth is smooth and simple it is explained in this table

	Company Visit Process	OAuth Authentication Process
1	Guest A (an external guest) says to the reception desk that he wants to meet Employee B (an employee) for a business purpose.	Requesting for and issuing Request Token
2	The reception desk notifies Employee B that Guest A has come to visit him.	Calling user authentication page
3	Employee B comes to the reception desk and identifies Guest A.	User login completed
4	Employee B records the business purpose and identity of Guest A at the reception desk.	Requesting for user authority and accepting the request
5	The reception desk issues a visitor card for Guest A.	Issuing Access Token
6	Employee B and Guest A go to the specified room for the business.	User Can Access Functionality by using Access Token

OAUTH provide a very unique and useful authentication and authorization system that’s why it is used by many internet companies like :- Facebook, Foursquare, Google, Microsoft (Hotmail, Messenger, Xbox), LinkedIn, Daum (Tistory), NHN (Open API), Daum (Yozm, Open API), MySpace, Dropbox, Twitter, Vimeo, Yahoo!