oauth web security

OAuth. It's a word that has gained a lot of publicity in the past eight or nine years, but what is it? If you've ever logged into a website, ahem Stitchz, with your Facebook or Twitter account then you've used it. In one simple sentence OAuth is a safe way to authorize access to a website without sharing your password.

Suppose a website, somefantasticsite.com, has some really good content that you want to read. In order to read the content you must login but you already have dozens of username/password combinations for other websites. In this case, somefantasticsite.com offers visitors the choice to login with their Facebook or Twitter account. Say you choose to log in with Facebook, the website redirects you to facebook.com where Facebook asks you to enter your username and password. The credentials you enter are verified by Facebook and are never shared with the website you're attempting to gain access to. Upon successful authentication, Facebook redirects you back to the originating website with a special one time token. In the background, the website sends the special token back to Facebook for verification and to get a unique short lived access token generated by Facebook. With the access token in hand, the website can have a high level of certainty that you are who you say you are and grant you access to the secured content.

oauth web access token

The OAuth authorization scenario is very similar to using your photo ID or passport when boarding an airplane. The airline requires you to first authenticate with a trusted source, in this case the local government, and then upon inspection authorizes your entry into the airplane or terminal.

At this point you may be thinking, "that's great but how is this more secure than using a username/password?" In the scenario above there is a key step in the process, when you enter your password into facebook.com the credentials are only processed by Facebook. Since Facebook sends the originating website a short lived access token no credentials are ever shared. This means that if the originating website is hacked, no passwords are leaked or compromised.

website security with OAuth

For example, let's say you visit a website you don't expect to return to, but if requires a log in to view some information. You're faced with the decision to create another username/password combination or you log in with your social identity. Since you don't plan on returning you log in with your social identity avoiding having to remember another website username and password.

There are some risks, but probably the most obvious risk is browsing unsecured websites, or websites that lack SSL encryption [1]. While OAuth is relatively safe when implemented correctly, there are ways evil-doers can sniff [2] unsecured web traffic. To mitigate this risk, make sure the login page your using starts with an "https" Url.

Wrap Up

OAuth is a simple and safe way to authorize access to a third party website without sharing your username and password. In place of your username and password combination an authorization server (e.g. Facebook) exchanges a unique token. A secure website using OAuth will have a high level of certainty that you are who you say and you don't have to share your username and password with websites you don't trust.

References: