Understanding OAuth
OAuth (Open Authorization) is an authorization standard used by Facebook to authorize applications to access its platform. OAuth works by sending users through a Facebook-hosted login process, in which they authorize your application to access specific bits of information about them. In return, Facebook returns a token back to your application for further requests on Facebook Platform.
OAuth is intended to be a much more secure way of accessing an API on behalf of a user. You don't have to store passwords in your database this way, mitigating any risk of attack from a hacker down the road.
Saving yourself from security woes
OAuth and open standards like it can save you from security breaches. Take Gawker, for example. In 2010, this Web media company, which owns such popular Web sites as Gizmodo.com and Valleywag.com, fell victim to a series of security crackers (people who break into computers maliciously) who cracked the passwords on their servers and exposed the usernames, e-mail, and passwords of all the commenters on their blogs. Tens of thousands of passwords were exposed, many that were also the same passwords used on other sites. Afterward, a worm spread on Twitter as a result of hackers taking these passwords and abusing them.
Gawker got caught by surprise (see Figure 9-1). The company was forcing its users to trust it, storing usernames and passwords in its own database, when it could have been relying on third-party services that use OAuth to access ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access