What is OAuth and How Does it Work?

OAuth is an open-source, universal security method web apps use to connect to services like Google, Facebook, Linkedin and Twitter in order to access login and user information.

Let’s check out how OAuth works, using Google as an example:

Get an OAuth web app from Google

This app is obtained by the application developer (you) and contains several elements:

  • The app ID, which uniquely identifies your app.
  • The app secret, which only you and Google should ever see.
  • Various access rules that helps secure where Google will send your user’s data.

Here are links for web app registration for
Google, Facebook, Linkedin and Twitter

Install the app ID and app secret on your server

This varies based on your solution (here’s how you set it up in mean.js) , but the app secret should never be accessible to the public.

Authenticate the User

When a user requests to log into your site, you send them a url they will visit in order to request permissions from Google. This url includes three things:

  • The app ID.
  • Short codes for the permissions you’re asking for. These permissions can range from viewing the user’s Google email address to posting for them on Google Plus.
  • callback url to which  the user will be redirected after logging in. This url is usually located on your website.

The user visits the secure url, and Google registers their request as having come from your app. The user can now see the permissions you requested and is prompted to enter their credentials.

Google then creates a unique access token that has been encrypted with the app secret and which only your server can read. This token has an expiration time and will temporarily provide the owner of the token access to the permissions granted.

Next, Google sends the user to your callback url with the encrypted access token in a GET parameter. Your server receives the access token and decodes it using the app secret, verifying it was made for your app.

Use OAuth!

At this point, you have an access token you can use to request any data the user has given your app permissions for. All data is encrypted via your app secret, so only your app and Google can decode it.

I hope this has proven to be minorly informative! Please feel free to comment with anything I got wrong or need to add.