I have been reading about OAuth, and not quite sure I understand.

From what I read, the following is what I think is going on:

The client (someone with a browser), tries to access a web service.  The Web Service routes the request to a Identify Provider (or Authentication server).  The user logs into the Identity provider.    The Identity provider sends a token to the web service.  This token says the user is trusted, and can stay logged in.  The web service can now check the token to see what actions the user is authorized for.

Is this correct.  Am I missing something?

Is there encryption involved ?  If so where

Anthony LuciaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mayank SAssociate Director - Product EngineeringCommented:
Look at it this way. Assume you are using Facebook and want to add/ find your friends from Gmail there. Facebook does not have access to your Gmail address book. Assume Gmail would have exposed a web-service to retrieve your address book. So this is what will happen when you select an option saying "Add/ Find Gmail friends" on Facebook:

* Facebook will contact Gmail and ask for a request token (assuming Facebook is registered with Gmail as a consumer application) - this is done based on a consumer key and secret that would have been shared between them during registration (consider it like an application's username/ password with another application, not a user's).
* Gmail responds with a token but you as a user still need to authorize FB to access your Gmail address book. So upon redirection, Gmail throws its login page where you login (so you're entering your Gmail credentials on a Gmail pop-up page but not on Facebook). Once logged in, Gmail asks you if you want to share the address book or not.
* You say yes, and Gmail issues an access token to Facebook for accessing your address book. Using this token, Facebook makes the final web-service call to Gmail to fetch the address book.

The token stays valid for a specified duration, and during that time, Facebook can make multiple calls without reauthentication or reauthorization.

Each HTTP request is also signed with a unique signature which cannot be spoofed or repeated, so it ensures nobody else can emulate your application and try to access the service.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.