OAuth is a protocol that enables secure and controlled access to a user’s resources on one website or application by another website or application, without the need to share the user’s credentials (e.g. username and password). The protocol is typically used to enable Single Sign-On (SSO), allowing users to log in to multiple services using their credentials from a single provider.
The original OAuth protocol (often referred to as OAuth 1.0) involved a complex process where the requesting application would obtain a temporary token and secret key from the user, which it would then exchange for an access token from the service provider. This access token could be used to access the user’s resources on the service provider’s platform. While OAuth 1.0 provided a level of security, it was relatively complicated to implement and had some limitations.
Before OAuth, users would access a third-party application by just providing a password and allowing the application to act on their behalf. Twitter apps, for example, would ask for your password to give you statistics on your activity and account. This was very problematic for a number of reasons:
- Password safety: These applications would often store your passwords without even encrypting them, which made it easier for hackers to steal passwords once they got in a system.
- Revoke permissions: Another big issue was that the only way for users to revoke access to an application would be to change the password, which is quite inconvenient and not ideal for most users.
Among the several examples of authentication that we saw emerge after this old model was abandoned, we can find:
- Flickr’s API (also called “FlickrAuth”) which used “frobs” and “tokens”.
- AuthSub by Google.
- BBAuth (Browser-Based Auth) by Yahoo!
However, the problem with these solutions was that they were not interoperable and could not work with each other. That’s why, in 2007, a group of researchers including Blaine Cook, Kellen Elliott-McCrea, Larry Halff, Tara Hunt, Ian McKeller, and Chris Messina, finally created an open standard for API access control that could be used by any system. Shortly after, with the contribution of Google and AOL, the Oauth spec was finally published—ending the era of insecure password-based authentication.