Another commonly used token-based authentication, OAuth is an open-standard protocol that gives one application access to another. When you login to a SAAS application via Facebook or Google, the OAuth protocol is used to tell Facebook or Google that it should grant the app access to some of your data.
How it works
An OAuth transaction requires three components:
- the user
- the consumer
- the provider
The user is an identifier of the person or organization requesting authentication.
My name is Chance and I’d like to sign into Blurggl with data from my Google account.”
The consumer is the app that requires data from another service. The consumer can specify what data it needs, and whether or not certain bits of data are optional.
Blurggl here! Let me go ask Google for permission to use that data!
The provider is the app granting permissions.
Google here! Let me check to see if Chance allowed you to do that. If not, I might ask him real quick and get back to you.
If the provider grants access, data is exchanged, and the user will be redirected to the consumer, validated to use your app.
Why you should use it
OAuth is useful because users don’t need to create another password to access your service, and it’s as secure as the provider’s auth service. You don’t need to pass credentials back and forth which reduces risk that your data is compromised. OAuth is easy for the developer and the user.
Why you shouldn’t use it
The biggest risk with OAuth is that it makes phishing scams easier. Imagine one of your users gets an email:
Joe from Blurggl here! We need you to update some of your data so we can send you 5 million dollars. Log into your account here and we’ll get the check sent out ASAP.
Your very real pal,
Joe from Blurggl
A less sophisticated user might think this email is legit, but fake Joe might then set up their own OAuth service that grants fake Blurggl access to all sorts of sensitive data. Sadly, Chance never gets 5 million dollars but does get a big mess to clean up.
Another risk is that your app asks for data it doesn’t really need. Now you’re on the hook for handling potentially sensitive user data. This is a huge problem if a breach does occur.