Before we discuss the newest OAuth standard, OAuth 2, we must do our due diligence and cover the version of the standard used by many of the top Internet-based companies (e.g., Yahoo!, Google): OAuth 1.0a.
The OAuth 1.0a standard was developed to give providers a way to implement a user authorization model, in which a user authorizes an application to access privileged information on her behalf from her profile and friends.
OAuth offers some major improvements over traditional models such as basic auth, including:
Instead of having to send the user’s username and password to the provider with every authentication request, you are working with abstract access tokens that do not share any of the user’s passwords.
Since tokens are issued from a provider site, they can be revoked at any time, putting more control into the user’s hands. Several providers also implement a token expiration mechanism that requires an application to periodically renew the access token to continue making requests for user data.
Users can see the tokens that they have active (i.e., which applications can access their data) on the provider site, meaning they can manually revoke access to an application. Since the application does not have a user’s login credentials, it cannot make further requests for her data once she has revoked authorization.
Now that we’ve covered its benefits, let’s continue our exploration of OAuth 1.0a by looking at how the token exchange process works for a user, an ...