Security stands as one of the important aspects while designing web services to allow for authoried access to data that is being exposed. While we make sure that access is prohibited for unauthorized users, it is also important that we reduce the redundant process of gathering identity information from valid users.
It is bit irritating for users to fill another signup form for your application with information which they have provided about 50 times to other applications like facebook, twitter or linkedin. It should be pleasant for users if applications can pick their information from these systems and carry out authentication process in backend.
This way of securing applications is gaining popularity these days where users are asked to provide their partial information and rest of the important information required for authentication are then pulled up from servers of facebook or twitter or linkedin.
What is OAuth?
In a scenario like above, one application needs to access information of a user from another application(server). In earlier days, this would be achieved by asking this user credentials (user name + password) and using these to access user data on other applications. This approach has following disadvantages :
- Using user credentials, all its data would be available for client applications and servers could not distinguish between actual users and client applications.
- Only way to revoke access for a client application is to change user password.
In OAuth model, client application would have its own client id so that server could distinguish between actual user and client application. Also, the client application never gets user credentials, rather using only user id and client id(of client application), it can request for authorization token which could have permissions for only specific resources.
Below diagram shows how OAuth process works :
In further posts, we will see how to implement OAuth security in web services using Jersey API.
