INTRODUCTION TO OAUTH
OAuth is an open standard managed by the Internet Engineering Task Force and is designed to allow applications to access services in a Web-friendly manner on behalf of an application or user.
Some might ask, “Why not just give the caller my username and password?” This unfortunately poses some issues that OAuth avoids:
- The app can do everything and anything your account can do. This means that if the calling code had your username and password it could, for example, change your password or do things that you would rather it didn’t have access to. Because the app has your username and password it is as if you are making the calls and the service has no idea who the real caller is.
- To the service, all calls look the same whether it is you or the calling app making the calls. This means keeping an audit trail is almost pointless because there is no way to tell who the caller really was if the same username is being used each time. Additionally, if you give your username and password to multiple services and one of them deletes information, you have no way to know which one it was. Obviously, this could cause some problems if you are not careful.
- You can’t revoke access to a particular service without changing your password. This means that you would need to update your password on all those services that you want to continue working. If a few services are involved this task can be error-prone and cumbersome.
Here is a simple analogy to help explain this concept. ...