- In the past, it was common to ask the user to share their username and password with the client, a deceptively simple request masking unacceptable security risk.
- OAuth is important because it places the management of Web delegation into the hands of the actual resource owner
- Social media has been the largest early adopter of OAuth.
OAuth is an emerging Web standard for authorizing limited access to applications and data. It is designed so that users can grant restricted access to resources they own—such as pictures residing on a site like Flickr or SmugMug—to a third-party client like a photo printing site.
In the past, it was common to ask the user to share their username and password with the client, a deceptively simple request masking unacceptable security risk. In contrast to this, OAuth promotes a least privilege model, allowing a user to grant limited access to their applications and data by issuing a token with limited capability.
OAuth is important because it places the management of Web delegation into the hands of the actual resource owner. The user connects the dots between their accounts on different Web applications without direct involvement from the security administrators on each respective site. This relationship can be long-lasting but can easily be terminated at any time by the user. One of the great advancements OAuth brings to the Web community is formalizing the process of delegating identity mapping to users.
OAuth is rapidly becoming a foundation standard of the modern Web and has grown far beyond its social media roots. OAuth is now very important for the enterprise; insurance companies, cable operators and even healthcare providers are using OAuth to manage access to their resources. Much of this adoption is driven by the corporate need to support increasingly diverse clients and mobile devices, in particular. These organizations are aggressively deploying APIs to service this new delivery channel and OAuth is the best practice for API authorization.
But it is important to recognize that OAuth is only one component of a full API access control and security solution. It is easy to focus on the details of the protocol and lose sight of the big picture of API Management—encompassing everything from user management to auditing, throttling and threat detection. APIs often represent a direct conduit to mission-critical enterprise applications. They need an enterprise-class security solution to protect them.
CA Technologies is committed to providing infrastructure to OAuth-enable enterprise applications. We offer drop-in solutions that fully integrate with existing investments in identity and access management (IAM) technology to provide a consistent authorization model across the enterprise. All CA API Gateway solutions are available as simple-to-deploy virtual images. CA Technologies also provides the flexibility to integrate with third-party OAuth implementations that may not be entirely compliant with the current standards, thus insulating you from the changes that come from a rapidly-evolving technology.
- 3(21) Investment Advisor – Fiduciary Services – Flat Fee of $50 / Hour of Consulting
- A beautiful, well-written article that seamlessly promotes your business
- Professional Fiduciary Services – $100 for 2 hours
- Publish 3 Press Releases Over 2 weeks for $21
- Publish 2 Press Releases for $16 – Best PR Deal on the Internet?
- Publish Your Press Release on Google & Communal News for Just $11!
- Social Media Management – Business Brand Basic Package
- 401k Plans Fiduciary Review Services – 4 Hour Consult
- Build 5 Page WordPress Website for only $199
- Excel Spreadsheets & Automation VBA/Macros
This white paper from CA Technologies describes what OAuth is and shows how you can make OAuth simple in your organization.
Can You Provide a Simple OAuth Example?
Social media has been the largest early adopter of OAuth. Facebook and Twitter owe much of their success to the fact that they are not simply standalone Web sites but platforms that encourage integration with other applications. The integration points are RESTful APIs that typically use OAuth as a means of authentication, authorization and binding together of different personal accounts.
Twitter and Facebook provide excellent examples of OAuth in action. Like many people, you probably have separate accounts on both of these social media powerhouses. Your account names may be similar (and in the name of good security, hopefully you use different passwords) but they are distinct accounts managed on different sites. So, how can you set things up so that your tweets show up instantly on your Facebook wall?
In the past, you would probably have had to store your Facebook username and password in your Twitter profile. This way, whenever you published a new tweet, the Twitter application could sign on for you to cross-post it onto Facebook. This approach has come to be called the password anti-pattern and it is a bad idea for a number of reasons. Entrusting Twitter with your Facebook password simply gives this application too much power. If a hacker was to compromise the site or an internal administrator went rogue, they could leverage your plain text password to post damaging pictures, lock you out of Facebook or even delete your entire account.
Fortunately, Twitter and Facebook both use OAuth to overcome this challenge. OAuth provides a delegated authorization model permitting Twitter to post on your wall—but nothing else. This is shown in Figure A below.
From the user perspective, the interaction is very simple and intuitive. You can follow it in Figure B below. From their Twitter settings panel, a user clicks on a button that transfers them to Facebook, where they can sign in. This creates an association between this user’s two separate accounts without any involvement from Facebook or Twitter security administrators.
Once authenticated on Facebook, the user undergoes a consent ceremony, where they can choose the subset of privileges they want to grant to Twitter to permit the application to perform actions on their behalf. Finally, the user returns automatically to Twitter, where they can resume posting tweets, which now appear on their Facebook wall as well. The relationship they have set up persists indefinitely or until they decide to break it explicitly, using controls found on the settings page.
For the user, this is a simple and intuitive process—and indeed, that is much of OAuth’s appeal. But underneath the hood is a much more complex interaction between the sites, often called the OAuth dance. Three-legged OAuth is the popular name for the scenario described here; it is the most typical use case for the OAuth 1.0a specification, now published as RFC 5849.
This specification is detailed but surprisingly narrow. It defines the redirection flow that allows a user to associate their accounts, to authorize a limited subset of operations and return an opaque token that Twitter can persist safely for access instead of an all-powerful password. It even details—at least in the 1.0 version—a method for binding the token to parameter content using digital signatures, thus allowing integrity checks on content submitted over unencrypted channels.
One of the strengths of the OAuth 1.0a specification is that, rather than attempting to define a generalized authorization framework, it instead set out to offer a solution to the common design challenge described above. It was a grass-roots initiative by people with a problem to solve and its timing was perfect. Unsurprisingly, it became wildly successful, seeing implementation on sites such as Google, DropBox, SalesForce, FourSquare and LinkedIn.
OAuth, however, is evolving. Version 2, which was published in October 2012, ambitiously aims to satisfy a much more generalized set of use cases. This naturally adds complexity to the solution and adds to the difficulty faced by developers trying to implement it to protect enterprise APIs.