OAuth2.0(Open Authorisation)
What is OAuth?
OAuth 2 is a delegated authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. Many applications have a critical need to provide secure access to resources to third-party applications or to various parties outside their organization. Delegation frameworks provide this ability. In other words, OAuth allows you to delegate certain aspects of your account to another party. For example, you may delegate that a new website will be able to tweet on your behalf, without that website being allowed to administer your account (change your email, profile, password, etc.) in any way.
For Example :
You can think of OAuth like the valet key of your car. When you purchase a new car, you often get two keys: the owner key and the valet key. The owner key can do everything: open all the doors, open the trunk, and start the car. The valet key, however, can only open the driver's door and start the car.
If Twitter is like your car, then your credentials to log into Twitter directly are the owner key. But when you use OAuth to delegate limited access to your Twitter account (for example, to allow another website to tweet on your behalf but not access any other account features), that delegation is like the valet key.
OAuth2.0
OAuth delegates at several levels related to authorisation and authentication, which is why it's often mistakenly called an authorisation or authentication protocol. And of course, OAuth can be misused for other purposes.
"OAuth is an authentication protocol that allows users to approve applications to act on their behalf without sharing their password."
History of OAuth
In December 2007, the OAuth 1.0 core final draft was published. OAuth 1.0 addressed delegation with a framework based on digital signatures. It was secure and it was strong. Major players began to adopt OAuth 1. Google began OAuth 1.0 support in 2008. By 2010 Twitter forced all third-party apps to use their OAuth 1.0 implementation. While secure, it was a challenge for many developers to implement due to its complexity.
Then came OAuth 2.0 in October 2012. OAuth 2.0 is much easier to implement than OAuth 1.0. In 2013, the OAuth 2.0 threat model was published to address the many security issues of an OAuth 2.0 implementation.
No comments:
Post a Comment