Logging into another site with your Google, Twitter, or Facebook
account isn’t just convenient; it’s more secure than creating a new
account, or entering your Google, Twitter, or Facebook password into a
third-party site. That’s where Open Authentication (OAuth) comes in.
Here’s how it works, and how it keeps your passwords safe on third-party
sites.
OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
This is a quick guide to illustrate, as simply as possible, how OAuth works.
In our example, Shap is the user, Aruna is the consumer, and Facebook is the service provided who controls Shap’s secure resource (his Facebook stream). Shap would like Aruna to be able to post shortened links to his stream. Here’s how it works:
Step 1 – The User Shows Intent
Shap (User): “Hey, Aruna, I would like you to be able to post links directly to my Facebook stream.”
Aruna (Consumer): “Great! Let me go ask for permission.”
Step 2 – The Consumer Gets Permission
Aruna: “I have a user that would like me to post to his stream. Can I have a request token?”
Facebook (Service Provider): “Sure. Here’s a token and a secret.”
The secret is used to prevent request forgery. The consumer uses the secret to sign each request so that the service provider can verify it is actually coming from the consumer application.
Step 3 – The User Is Redirected to the Service Provider
Aruna: “OK, Shap. I’m sending you over to Facebook so you can approve. Take this token with you.”
Shap: “OK!”
<Aruna directs Shap to Facebook for authorization>
This is the scary part. If Aruna were super-shady Evil Co. it could pop up a window that looked like Facebook but was really phishing for your username and password. Always be sure to verify that the URL you’re directed to is actually the service provider (Facebook, in this case).
Step 4 – The User Gives Permission
Shap: “Facebook, I’d like to authorize this request token that Aruna gave me.”
Facebook: “OK, just to be sure, you want to authorize Aruna to do X, Y, and Z with your Facebook account?”
Shap: “Yes!”
Facebook: “OK, you can go back to Aruna and tell them they have permission to use their request token.”
Facebook marks the request token as “good-to-go,” so when the consumer requests access, it will be accepted (so long as it’s signed using their shared secret).
Step 5 – The Consumer Obtains an Access Token
Aruna: “Facebook, can I exchange this request token for an access token?”
Facebook: “Sure. Here’s your access token and secret.”
Step 6 – The Consumer Accesses the Protected Resource
Aruna: “I’d like to post this link to Shap’s stream. Here’s my access token!”
Facebook: “Done!”
We don’t need to talk much about Facebook itself. Let us get straight to it.
This tutorial explains how you can develop a basic Facebook application using Facebook Open Graph API.
Step 1: Set up Application with your Facebook Account
Login to your facebook account and navigate to the facebook developers page. Or, you can go directly to developers.facebook.com.
From the developer’s page, click on “Add New App” option under the “My Apps” menu items as shown below.
Click on “Create App ID” to create the application. This will take you to the application dashboard from where you can see all the settings for the new app you just created.
OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
This is a quick guide to illustrate, as simply as possible, how OAuth works.
The OAuth Flow
There are 3 main players in an OAuth transaction: the user, the consumer, and the service provider. This triumvirate has been affectionately deemed the OAuth Love Triangle.In our example, Shap is the user, Aruna is the consumer, and Facebook is the service provided who controls Shap’s secure resource (his Facebook stream). Shap would like Aruna to be able to post shortened links to his stream. Here’s how it works:
Step 1 – The User Shows Intent
Shap (User): “Hey, Aruna, I would like you to be able to post links directly to my Facebook stream.”
Aruna (Consumer): “Great! Let me go ask for permission.”
Step 2 – The Consumer Gets Permission
Aruna: “I have a user that would like me to post to his stream. Can I have a request token?”
Facebook (Service Provider): “Sure. Here’s a token and a secret.”
The secret is used to prevent request forgery. The consumer uses the secret to sign each request so that the service provider can verify it is actually coming from the consumer application.
Step 3 – The User Is Redirected to the Service Provider
Aruna: “OK, Shap. I’m sending you over to Facebook so you can approve. Take this token with you.”
Shap: “OK!”
<Aruna directs Shap to Facebook for authorization>
This is the scary part. If Aruna were super-shady Evil Co. it could pop up a window that looked like Facebook but was really phishing for your username and password. Always be sure to verify that the URL you’re directed to is actually the service provider (Facebook, in this case).
Step 4 – The User Gives Permission
Shap: “Facebook, I’d like to authorize this request token that Aruna gave me.”
Facebook: “OK, just to be sure, you want to authorize Aruna to do X, Y, and Z with your Facebook account?”
Shap: “Yes!”
Facebook: “OK, you can go back to Aruna and tell them they have permission to use their request token.”
Facebook marks the request token as “good-to-go,” so when the consumer requests access, it will be accepted (so long as it’s signed using their shared secret).
Step 5 – The Consumer Obtains an Access Token
Aruna: “Facebook, can I exchange this request token for an access token?”
Facebook: “Sure. Here’s your access token and secret.”
Step 6 – The Consumer Accesses the Protected Resource
Aruna: “I’d like to post this link to Shap’s stream. Here’s my access token!”
Facebook: “Done!”
We don’t need to talk much about Facebook itself. Let us get straight to it.
This tutorial explains how you can develop a basic Facebook application using Facebook Open Graph API.
Step 1: Set up Application with your Facebook Account
Login to your facebook account and navigate to the facebook developers page. Or, you can go directly to developers.facebook.com.
From the developer’s page, click on “Add New App” option under the “My Apps” menu items as shown below.
Click on “Create App ID” to create the application. This will take you to the application dashboard from where you can see all the settings for the new app you just created.
Under the Settings of the “Facebok Login”, you need to
provide the Redirection URL. This URL should be within your client web
application and Facebook will send all responses to this URL. But here
you must provide ssl/tcl enable url. ex https://someone.com/
Comments
Post a Comment