OAuth Programming: Don’t Handle Passwords, Use This Instead

OAuth is a system that allows users to have two different applications communicate with each other on the user’s behalf without having to tell the applications the user’s password. You have doubtless used this system many times, but you may not know it. For example, some commenting systems let you log in with your Facebook or Google+ account. This is done with OAuth.

How Does OAuth Work?

Imagine that you have a WordPress blog and you want it to automatically tweet out an announcement each time you publish an article. So you use the plugin WP to Twitter. Rather than telling the plugin your Twitter password, you use OAuth.

You start by telling WP to Twitter that you want it to post tweets using your account. So WP to Twitter goes to Twitter and asks for permission. Twitter gives WP to Twitter a token, which it then gives to you along with the instructions to go to Twitter and authorize the request. Once you do that, WP to Twitter can post tweets for you.

A Brief History of OAuth

In 2006, Twitter was in the process of implementing OpenID — a widely used system that allowed users to have a single ID that they could use to log into many different accounts on the internet. But it did not have open standards that would allow an access delegation API to be built. So they started working on OAuth, which would allow developers to create applications that would request and grant access to specific aspects of websites.

The initial specification, OAuth 1.0, was released in 2007, but it was not official until 2010. Although it was a very useful system and was widely used, it was not well designed for certain uses including its use with mobile devices. So in 2012, OAuth 2.0 was released. The two versions are not compatible. But OAuth 2.0 is more secure and is designed with “authorization flows” for different kinds of devices including phones and even appliances.

Controversy

Eran Hammer was one of the main people involved in the development of OAuth 1.0. He was also involved in OAuth 2.0, but shortly before its official release, he broke with the project. And he was so unhappy with both versions of OAuth (which you can see in a talk he gave that is not safe for work) that he created his own replacement, Oz.

Overview of OAuth

Before trying to add OAuth in your own applications, it is a good idea to get a general overview of the system.

• Hueniverse OAuth Introduction: Eran Hammer’s clear introduction to OAuth 1.0.
• OAuth for Dummies: A bird’s eye view of OAuth 1.0 by Mark Trapp.
• Introducing OAuth 2.0: an excellent overview of the differences between the various versions of OAuth.
• OAuth2 in 8 Steps Tutorial Preview: a brief video overview of OAuth using PHP for examples.

Getting Started With OAuth

OAuth isn’t a development platform. It is a tool that you will use as part of some other application. For example, you wouldn’t want to write a program that can only accesses a user’s Facebook account. You would want to do that for some reason. So if you are reading this page, you must have some application that needs the capabilities of OAuth to run like the blog tweeting plugin we discussed above.

General Introduction

Here are some general introductions:

• OAuth 2 Simplified: Aaron Parecki’s overview of the development process in a general sense.
• OAuth Coding Examples: various examples in many different languages.
• Read the Docs Sample Code: general code samples as well as some for specific services. Includes examples for:
  • Bitbucket
  • GitHub
  • Google
  • Facebook
  • LinkedIn
  • Tumblr

Specific Services

Generally, using OAuth depends upon the service that you want connect to. Most services have their own quirks and extensions. So below we have included tutorials for a number of popular services:

• Using OAuth With Twitter: a thorough introduction to OAuth with examples in a number of different languages.
• Yahoo! OAuth Coding Examples: OAuth examples using the BOSS API.
• Google OAuth Consumer: PHP code for two- and three-leg OAuth.
• OAuth2 Authentication: log in with Facebook account.
• Facebook Dialog OAuth Tutorial: a thorough example using PHP and Python.

Advanced OAuth Coding

After you get the basics of OAuth down, there are a number of ways you can continue to learn.

Books

If you really want to get serious about OAuth, you should probably get a book about it. There are a number of them that provide a thorough introduction to it.

• Getting Started with OAuth 2.0 by Ryan Boyd: a very short introduction that covers most of the aspects of OAuth, including a section on mobile devices.
• OAuth 2.0: Getting Started in API Security by Matthias Biehl: another short book, which emphasizes security and contrasts OAuth with OpenID.
• Mastering OAuth 2.0 by Charles Bihis: a thorough introduction with examples using the biggest services.
• Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE by Prabath Siriwardena: a general book on security that looks at the various versions of the various protocols.

Online Forums

There isn’t much available in terms of general online forums regarding OAuth. In general, forums focus on specific services.

• Stack Overflow OAuth Tagged Articles: the ultimate site for programming questions, filled with tons of knowledgeable people.
• Getty Image API Forums: information about the Getty Images API, but with a lot of useful information.
• Yahoo! OAuth Authorization Model: access to Yahoo! Development Network through search tool.

OAuth Tools

A number of services provide tools to facilitate OAuth.

• OAuth 1.0 Protocol: the original protocol.
• OAuth 2.0: final version of the specification as well as list of available libraries.
• Using OAuth 2.0 to Access Google APIs: Google’s excellent resource including the OAuth 2.0 Playground.

Libraries

See oauth.net for a more complete list of libraries. Here are extra ones including some for OAuth 1.0:

• PHP.net OAuth: object-oriented OAuth 1.0 library.
• OAuth for Ruby: a RubyGem for implementing both OAuth clients and servers.
• OAuth2 C# libraries: there are many C# libraries available.
• Oauth 1.0.1: Python library for OAuth 1.0.

Going Forward

Since OAuth is not an end in itself but a tool to allow you to add greater power to your programs, you are likely to learn it by doing. We’ve presented a lot of resources here to get you started and allow you to dig into the system. How you use it is up to you.