OAuth: Why and Conceptualization

OAuth is certainly a buzzword, and for good reason. It solves (and even better, outsources!) several verification issues. What isn’t talked about as fondly is its implemention. The first step remains the same however: conceptualization.

The very first thing a new application wants to know is “are you YOU?” and god willing, you are. The next issue is determining that in a way that does not alienate the client, pushing them to a different service. There have always been ways to identify, but OAuth attempts to marry the ideas of non-obtrusion and genuine authentication.co

The first idea of OAuth is that you have confirmed your identify somewhere, whether it be through a Google service, Facebook, Twitter, etc. Now that social media has become all but ubiquitous, any given user is more than likely to have credentials on one of these websites. The next step is finding out whether this given user has credentials without exposing said credentials.

OAuth directs a user to a portal, lets use Google, and allows you to sign in. This is in no way connected to your own app. Your app knows nothing of the sign in process; depending on whether or not your user successfully signed in, they will be given a token. This token is then transferred to your app, which will once again be transferred back to Google.

Why all this transferring? Basically you are asking your user to go, personally, grab a key to their own personal kingdom. It relies on these trust relationships: