OAuth, or open-standard authentication, is a framework or protocol that allows client-operated applications secure access to other servers and services. With OAuth, this third-party access is safely controlled in order to protect passwords and login credentials.
As you interact with websites or web-based applications, like your social media accounts, third parties may ask for permission to access your protected information. If you grant them permission, OAuth can protect your private information if the third party experiences a breach or other emergency situation.
Have you ever seen a pop-up asking for permission to post on your social media feed, access your smart devices, or share files across different platforms? If you answered yes, you’ve most likely used this framework without even asking “What is OAuth?” Keep reading to learn how OAuth works, if it’s safe and other helpful information.
How Does OAuth Work?
After you have given a third party access to your account, there is a six-step OAuth process that automatically begins. There are three groups involved in this process, known as OAuth flow: the user, the third party referred to as the application and the service provider.
In most cases, the user is the original owner of the profile in question, the application is who wants access to the profile and the service provider is where the profile in question resides.
Steps in OAuth Flow:
- Reveal Intent: The user reveals that they want to give permission to an application to access protected servers or services. This intent is most often revealed during interactions with social media apps or file sharing across systems.
- Ask for Service Provider Permission: The application requests permission from the service provider for authorization. If it is granted, the service provider will grant the application a request token and share a randomly generated password known as a secret with the user. The user will sign each authentication request with the secret so the service provider can verify they are truly making the request.
- Be Redirected: The application gives the user the request token. They are then redirected to the service provider to provide application authorization.
- Ask for User Permission: The user authorizes the request token. When authorized, the application returns to the service provider without pharming for passwords or usernames. The service provider will ask the user what permissions to grant and approve the request token.
- Gain Access Token: The application exchanges its request token for an access token and secret from the service provider.
- Access User Profile: Every time the application accesses the user’s servers or services, it must present its access token and secret to the service provider.
Instead of divulging password information to third-party users, OAuth uses tokens to authorize a user’s identity, their connection to an account and their service providers. An OAuth token is safer than sharing password information and is also protected by a secret known only by the user, application and service provider.
OAuth Examples
Third-party applications have started to use OAuth to access user profiles, post to accounts and log in to websites and mobile applications more frequently. Here are a few examples of how OAuth can be used with social media apps, smart home devices and the cloud to share files. While these aren’t the only places where OAuth can be used, they are some of the most common spaces where OAuth is used.
Social Media Apps
A social media app houses a user’s profile, timeline and login information, making them the service provider. In order for an outside application to read any part of a user’s information, it must ask the service provider for an OAuth token and secret before gaining access to a user’s protected information. After the user authenticates and authorizes the application’s access, OAuth continues running in the background of the program to block the application from accessing credentials the user did not give it access to.
For instance, if you, the user, want an application like ESPN to post score updates to your Facebook profile, it needs to ask the service provider for access. Since Facebook is the service provider, it will need to grant ESPN request tokens and access tokens before your page can become a rolling scorecard of the season’s games.
Smart Home Devices
OAuth is needed to authenticate and authorize secure access to user profiles on smart home devices. For example, the Nest Learning Thermostat is a service provider that can allow other applications access to the user’s preferred temperatures and home settings. Some third-party applications, like FTL Lights, may want access to this information from Nest to turn your lights on or off, or alert you if your security camera notices unusual movement.
If an application wanted access to this information, it would need to receive a request token and secret from Nest, request authentication from the user and then trade the request token for an access token before ever accessing or changing the home’s environment.
Cloud File Sharing
Sharing cloud-stored files across systems can be difficult without OAuth. For example, simply sharing your wedding album with your parents can be a pain if you use Google Drive and they use Microsoft OneDrive. Normally, your parents would need a second username and password to access any attached email files you send them, but OAuth allows you to safely, securely and quickly share files from one user to another, no matter what system their email is connected to.
Even though many cloud users’ content is protected by encryption, OAuth is a helpful additional protection framework when data sharing. However, for the cloud to connect to a separate system, both must support the same OAuth version and framework.
OAuth 1.0 vs. OAuth 2.0
While OAuth is a standard authentication framework, there have been different versions of its protocols. OAuth 1.0 is the original open-standard authentication framework, while OAuth 2.0 is the newer, more mainstream version. Because OAuth 2.0 was expected to replace older versions of the framework, 1.0 and 2.0 are incompatible. However, websites can support both versions of OAuth, even though there are major differences between the two.
| OAuth 1.0 | OAuth 2.0 |
|---|---|
| More secure than OAuth 2.0 | Supported by more sites and devices |
| No OAuth token expiration | Less secure than OAuth 1.0 |
| Less complex than OAuth 2.0 | Request tokens are short-lived while refresh tokens last longer |
| Uses cryptographic requirements for the transmission of tokens and secrets | Does not support encryption, signatures or channel binding |
| Only supports three flows that don’t cover non-browser or mobile device applications | User needs a secondary protection protocol like Transport Layer Security (TLS) |
| Secret signatures are simpler |
OAuth 2.0 is the more widely accepted version of the framework, and many high-level websites and experts encourage users to make this their standard authentication protocol.
SAML vs. OAuth
Security Assertion Markup Language (SAML) is often compared to OAuth. The former can be referred to as OAuth’s “older sibling” because of the similarities between the two programs. Because SAML uses XML and cookies to give users access to web maps while both authenticating and authorizing credentials, it eventually became too outdated for high-tech mobile, web and gaming applications.
While these two protocols share some similarities, there are a variety of important differences between them.
Differences Between OAuth and SAML
| OAuth | SAML | |
|---|---|---|
| Definition | Open-standard authentication framework for users and applications | Open standard that passes authorization credentials to service providers |
| Format | JSON | XML |
| User Experience | Uses API calls to provide a simple mobile experience | Uses session cookies for enterprise security |
| Best Used For | Mobile apps, modern web apps, game consoles and Internet of Things (IoT) devices | Single sign-on applications |
Is OAuth Safe?
There is yet to be a perfectly safe solution to keeping passwords and credentials secure when providing third parties with authenticated access. However, using OAuth can substantially increase security during the authentication and authorization processes. Plus, combining OAuths with Transport Layer Security (TLS) or Secure Sockets Layer (SSL) can further increase the safety of credential authentication.
After answering “What is OAuth?” you may be wondering how to avoid being hacked or losing your login credentials. Without proper authentication and authorization practices, it’s easier for outside forces to hack accounts using man-in-the-middle attacks and other credential-stealing attacks.
Being proactive and understanding your security environment is the best way to avoid credential-stealing attacks. Secure your network and internet access by investing in a VPN with Panda Security, and practice password security by using our password manager.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
