As I am from a non-computer background, It was really very hard to understand the concept of OAuth . All material online / YouTube which I referred appear to be Greek and Latin to understand the concept .
Finally ,I asked the same to one of my senior who explained me with a very simple concept .I am going to share the same conversation here translated in English.
Junior : Bro , You Do know about this OAuth ? I read online bro but did not understand it completely ?
Senior : Its Easy bro.
Junior : I need to understand from scratch and basics. Can you help?
Senior : Sure bro .
There are important terminology (client , Resource , token, Resource owner) . Once client get the token, client can access the resource of resource owner.
See this is the Definition of OAuth
OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords
Junior : No no no no no !! Did not understand a word bro!!
Senior : Cool , Let's Consider a scenario here . Have you booked an hotel online . how did you book and access your room in the hotel ?
Junior : I booked the room using andriod app and went to receptionist to show my ID and got the room key.
Senior : Now think of your Scenario
We have a room = Resource
We have a hotel which is owned by Hotel owner =
Resource owner
We have a key which is used to access the hotel
room = token
You are the one who is using the key= client
So In order to use the room , you need a key , In order to get the key you need to show your ID. Once you got the key , you can go out and come in any time without showing the ID again. Right ? Let me put this in computer terms.
|
Scenario terms |
Computer terms |
|
If you need to use the room of
the Hotel , you need a Key. Once you get the key , you can access the room any no of times. |
If client
need to use the resource
of the resource owner ,client need a Token. Once client get the
token , client can
access the resource any no
of times. |
Junior :Interesting
bro!! Continue
Senior : Now the same is happening between services/two different applications.
Junior : What! between services.
Senior : Have you seen when you try to log in on some applications or website. They have the option to either SignUp or you can log in using your Google or Facebook account. You see options like “Sign in with Google” or “Sign in with Facebook”
Junior : Yes I have seen this a lot of times
Senior : They all work using concept of OAuth .Let’s understand with an example.
We have online photo editing application ( For eg. Lunapic) and we have file storage application (For eg. Google photos).
Now they are serveral ways you can upload the file to Lunapic.
https://www12.lunapic.com/editor/?action=moreupload
Method 1. Download the file from google drive and Store in File system (Computer) and upload from your file sytem(computer) to Lunapic
Method 2.You can give username and password to lunapic team to take the photos and edit it
Junior : First method looks more secure, Because what if lunapic team takes all my photos.
Senior : Exactly bro. But First method is overkill . Now, what if lunapic ask you permission to access the photo and you only give access to fetch only one photo.
Junior : How does that
happen bro ?
Senior : This happens using OAuth which involves below 4 steps :
Step 1: The Lunapic application will identify the account and will ask google photos to get access to your photos
Note the URL :
Step 2: The google photos service will ask you whether to allow Lunapic application to access your photos.
(It will show you the permissions this
application will have once you allow)
(assuming you say Yes)
Note the URL :
Step 3: The google photos service now hands over a key to the Lunapic called authorization token (Remember using the key to your hotel room)
Note the URL: (It changes in a fraction of second) and the bold highlighted text in URL is token here.
Step 4: Now the
Lunapic can get access to your photos using the access key or token
Junior : So whenever I see the login with facebook and login with google , it's all OAuth concept
Senior : Yes bro! Now tell me terminology involved in this scenario
Junior :
| Resource | Photos in Google photos |
| Resouce owner | Google photos |
| Client | Lunapic |
| Key | Authorization token |
Senior :Correct!! Last but not the least. Why the token is called Authorization token ?
OAuth doesn't act as authentication data between
client and service providers – but instead acts as an authorization
Now read the definition
OAuth is
an open standard for access delegation, commonly used as a way for
Internet users to grant websites or applications access to their information on
other websites but without giving them the passwords
Junior : Thanks Bro!! Now I know the basics , Let me check some use case with Pega.
1 comments:
Good example and useful. Thanks mate !!
ReplyPost a Comment