Tuesday, 11 September 2012

Playing with OAuth 2.0: how does it works?

Recently I have started to play with a new mobile platform.
Tipically the things that I do when I have a new platform to learn are:
- read general documentation of the platform
- try to realize an application from scratch with the new platform

Just because the project that I have in mind use OAuth I had the necessity to understand how it works.
Many portal and website  nowadays use this protocol for users authentication.

The idea is based on soundcloud and its api…
If you search on the site you will find a lot of documentation, also library, for  the most famous mobile platform (android and ios) but not a general way on how OAuth should works and how you, as developer, should handle it.
Results from a search on the web show me detailed complicated explanation or specific platform dependent explanations ( for the specific api or platform)

Talk auth2.0
With auth2.0 applications the security of your accounts improves.
A client with OAuth never ask for your username and password, instead, it ask authorization from the server where your account is.
The server (typically a famous service like Facebook,twitter, gmail…) than ask you to login(if you are not already logged) and ask if you would like to authorize the application.
If the user authorize the application the server send back to the application a token, something like a string of numbers and letters.
The application than will store the token locally and use that token for next api request to the service.
Someone can hack the application and get the saved token (it can expire and be invalidated also by the users) but it doesn't have access to your account… so your account still remain safe!

An image is better than thousands words...

simple uhm?
you connect to the credential page asking to the user to login (if it is not already logged) and than authorize the application.
the server than send back a message with a code.
with that code you can ask for a token...and with the token you can finally make api requests.

In the next post, I will show a specific implementation…based on soundcloud api!