[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 283
  • Last Modified:


I have been reading about OAuth, and not quite sure I understand.

From what I read, the following is what I think is going on:

The client (someone with a browser), tries to access a web service.  The Web Service routes the request to a Identify Provider (or Authentication server).  The user logs into the Identity provider.    The Identity provider sends a token to the web service.  This token says the user is trusted, and can stay logged in.  The web service can now check the token to see what actions the user is authorized for.

Is this correct.  Am I missing something?

Is there encryption involved ?  If so where

Anthony Lucia
Anthony Lucia
1 Solution
Mayank SAssociate Director - Product EngineeringCommented:
Look at it this way. Assume you are using Facebook and want to add/ find your friends from Gmail there. Facebook does not have access to your Gmail address book. Assume Gmail would have exposed a web-service to retrieve your address book. So this is what will happen when you select an option saying "Add/ Find Gmail friends" on Facebook:

* Facebook will contact Gmail and ask for a request token (assuming Facebook is registered with Gmail as a consumer application) - this is done based on a consumer key and secret that would have been shared between them during registration (consider it like an application's username/ password with another application, not a user's).
* Gmail responds with a token but you as a user still need to authorize FB to access your Gmail address book. So upon redirection, Gmail throws its login page where you login (so you're entering your Gmail credentials on a Gmail pop-up page but not on Facebook). Once logged in, Gmail asks you if you want to share the address book or not.
* You say yes, and Gmail issues an access token to Facebook for accessing your address book. Using this token, Facebook makes the final web-service call to Gmail to fetch the address book.

The token stays valid for a specified duration, and during that time, Facebook can make multiple calls without reauthentication or reauthorization.

Each HTTP request is also signed with a unique signature which cannot be spoofed or repeated, so it ensures nobody else can emulate your application and try to access the service.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now