OAuth is one of those things that sounds super complicated on the surface, but the mechanics of it are actually pretty simple to understand. However, any article you find out there is going to make it sound way more complex than necessary. OAuth can be used by anyone, but not all of us speak fluent computer nerd, so these articles are super unhelpful and unnecessarily verbose. Thus, we have made it our goal to explain OAuth in simple terms that anyone can understand, cutting down on the unnecessary jargon to get right to the meat and potatoes. Let’s jump in.
So … what is OAuth?
A lot of businesses, marketing agencies, or really anyone who uses social media for their company likely also uses a scheduling app that will automatically post content for them to social platforms. So let’s use that as an example. Say that you’re using an app to post to Instagram for you. But Instagram needs to know that you have given that app permission to post on your behalf, otherwise any app could post whatever they wanted to any platform. Of course, when you log into your account on Instagram, you enter a username and password and this gives you permission to post to your account.
However, if you want to post through an app, you have to give your username and password to that app, which is not very secure. It’s even less secure if you have the same credentials across multiple platforms, which means that once you give them to an app, this app can now log in to more than just the one platform.
This is where OAuth comes in.
OAuth acts as a mediator between the app and Instagram, so you can give the app permissions through OAuth. That is how the app will be able to post content without you actually having to give your credentials directly to the app.
How does OAuth work?
OAuth deals with two different tokens:
- A Request Token: This is used to grant access to someone to use your account.
- An Access Token: Once the request token has processed, it becomes an access token. This then allows someone to actually perform actions within the account.
Steps in the OAuth Process
- The user installs the 3rd party app.
- The app requests access to the user’s Instagram account.
- The user grants access.
- The app then asks for a request token from Instagram.
- Instagram says OK, and sends the request token to the 3rd party app.
- The 3rd party app then sends the request token to the user (AKA, you) for authorization.
- The user then tells Instagram to authorize the request token by logging into Instagram to give permissions.
- The request token is authorized by Instagram and sent back to the user, which the user sends back to the 3rd party app.
- The 3rd party app then sends the authorized request token back to Instagram to exchange it for an authorization token.
- Once Instagram sends the authorization token back to the 3rd party app, the app then keeps that token and reuses it every time it wants to post to Instagram on behalf of the user.
Wait, you said it wasn’t complicated…
Trust us, we know there are a lot of steps involved. But essentially those steps all involve passing requests back and forth to three parties multiple times until permission gets granted. Your only job is to let the requests come to you and approve them, and the other two apps will do the rest.
Is OAuth safe?
According to CSO Online, “Because of the lack of inherent security binding, it’s possible for a rogue website to phish a user’s legitimate credentials during the part of the process where the user is being required to authenticate themselves to the authorization provider.” For example, it is possible for a rogue website to swipe the user’s authentication credentials and act as if the OAuth transaction had successfully taken place. In the second quarter of 2017, around 1 million Google accounts fell victim to phishing scams. To avoid this, stay away from shady apps and sites, which you should be doing anyway.
The good news is that even though there is no 100% safe, universally accepted SSO that works on all websites, OAuth is continuously improving and is one of the best options out there.