OAuth: Open standard authorization protocol - mwilkin-401-advanced-javascript/bend-javascript-401d2 GitHub Wiki

OAuth is an open-standard authorization protocol that provides applications the ability for secure designated access. OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers and service providers. Essentially, it is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.

OAuth uses JSON to pass messages and provides a simple mobile experience because it relies extensively on API calls.

Importantly, OAuth is about authorization (asking for permission to do stuff) not authentication (proving you are the correct person because you know things). In addition, OAuth allows for granular or configurable permission levels.

There are three main entities or roles in an OAuth transaction: the third-party application or client, the API or resource server and the authorization server. The client is the application trying to get access to the user’s account. The resource server is the API server used to access the user’s information. The Authorization server presents the interface where the user approves or denies the request. The user or resource owner it the person who is granting access to some portion of their account.

Essentially there are 7 exchanges between the client, the service and the API server to establish authentication. 1. The application and user login and consent [front-end]. 2. Authorization code to redirect the URL from, for example the Google API our server. 3. A request back to the Google API asking for an access token. 4. A response back to our server receiving a token from the Google API. 5. A request back the Google API from our server using the access token on a specific Google API. 6. A response back to the server from the specific Google API. 7. A response to the user with the token

Third party authorization diminishes data security responsibility and risk passing them off to companies that are well structured and provisioned to handle them.