Security in web applications always seems to be an addition that the engineers will “get to later”. Sure they all have a secure login and password, but something like OpenID or a way to integrate with third party applications definitely comes in the later stages. This was evident with popular microblogging site Twitter. However, we finally have news that Twitter is going to be implementing OAuth. For Twitter users this is important because you will no longer need to give your password to any third party site. By using OAuth, it adds a level of protection for users so that we may not have problems with third party abuse of your Twitter account.
If you are unfamilar with OAuth or OpenID, I recommend that you read an introduction I wrote at Mashable. To summarize the introduction, OpenID is a way to use a single digital identity across the internet. Obviously, this is dependent upon the number of sites implementing OpenID for login. Currently, the list of sites supporting OpenID is not as long as it should be, but it is growing. OAuth is another specification, but it includes authentication, login and password information, as well as authorization, meaning read or write permissions. This is immensely important when dealing with third party application integration. Of course, this begs the question, how does an application integrate with another using OAuth? I will try to explain the process using the Google Data APIs as an example. The general process of using OAuth is as follows:
- Acquire an OAuth token – this requires more explanation than a simple one line description.
- Use the OAuth token – in the case of the Google Data APIs, this means adding an Authorization header to each request that looks like:
Authorization: OAuth oauth_version="1.0", oauth_nonce="7ce53bbd7648b41bcb4c620ab1f7be68", oauth_timestamp="1234567890", oauth_consumer_key="domain.com", oauth_token="2Z1EbtgeA75nKySgwKgv4Irxq", oauth_signature_method="RSA-SHA1", oauth_signature="JeTm31Rdsdod3lWQ0yLkfYJNiRlKyjj%3C..."
- Access the authenticated method on the server – this is a site specific http call with a bunch of required query parameters. For Google, more information can be found in the Account Authentication API.
For those of you that are not developers, there is a good visual introduction at Hueniverse. I will not get into Google’s account authentication as it is something that will need to be researched for each site that you wish to integrate. Acquiring an OAuth token (step 1 above) is also an interesting process that is generally similar across various applications. Typically, your website will need to “register” with the application that you want to integrate with. This registration may be a simple registration form that automatically retrieves a registration key, and others may require some sort of application review prior to providing the key. The rest of the process typically uses https requests to pass data between the two applications.
- The registered application makes a “token request” to the target application. The request will probably have site-specific query parameters depending on the complexity of the application.
- The registered application sends the user to an authorization endpoint on the target application. There the user may be required to login to the target application.
- The target application authorizes the request token and returns the user to the registered application at a location specified in the authorization request in the previous step.
- The registered application then requests an access token from the target application, based on the authorization previously acquired.
- If the request is verified, an access token is granted.
- The registered application then uses the access token for all requests to the target application.
Obviously, integrating OAuth is not as simple as a basic login, but it is meant to provide better security for integrating applications. It should not be simple, otherwise it would be simple to take advantage of. Thankfully, many web applications have examples of how to use OAuth with their site so that third parties can more easily integrate with them.
If you are a web application developer or a mashup developer, OAuth gives you a secure way to integrate with other applications. It also can ensure that you do not have too much access to a user’s account unless they have explicitly granted that access. If you are a user, request OAuth support from your favorite application so that integration is easier for everyone.