Posted on 2014-08-04
Last Modified: 2014-08-05
I have been reading about OAuth, and not quite sure I understand.

From what I read, the following is what I think is going on:

The client (someone with a browser), tries to access a web service.  The Web Service routes the request to a Identify Provider (or Authentication server).  The user logs into the Identity provider.    The Identity provider sends a token to the web service.  This token says the user is trusted, and can stay logged in.  The web service can now check the token to see what actions the user is authorized for.

Is this correct.  Am I missing something?

Is there encryption involved ?  If so where

Question by:Anthony Lucia
    1 Comment
    LVL 30

    Accepted Solution

    Look at it this way. Assume you are using Facebook and want to add/ find your friends from Gmail there. Facebook does not have access to your Gmail address book. Assume Gmail would have exposed a web-service to retrieve your address book. So this is what will happen when you select an option saying "Add/ Find Gmail friends" on Facebook:

    * Facebook will contact Gmail and ask for a request token (assuming Facebook is registered with Gmail as a consumer application) - this is done based on a consumer key and secret that would have been shared between them during registration (consider it like an application's username/ password with another application, not a user's).
    * Gmail responds with a token but you as a user still need to authorize FB to access your Gmail address book. So upon redirection, Gmail throws its login page where you login (so you're entering your Gmail credentials on a Gmail pop-up page but not on Facebook). Once logged in, Gmail asks you if you want to share the address book or not.
    * You say yes, and Gmail issues an access token to Facebook for accessing your address book. Using this token, Facebook makes the final web-service call to Gmail to fetch the address book.

    The token stays valid for a specified duration, and during that time, Facebook can make multiple calls without reauthentication or reauthorization.

    Each HTTP request is also signed with a unique signature which cannot be spoofed or repeated, so it ensures nobody else can emulate your application and try to access the service.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Basic understanding on "OO- Object Orientation" is needed for designing a logical solution to solve a problem. Basic OOAD is a prerequisite for a coder to ensure that they follow the basic design of OO. This would help developers to understand the b…
    Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
    This tutorial covers a step-by-step guide to install VisualVM launcher in eclipse.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now