This is often called the password anti-pattern. Before OAuth, sites would prompt you to enter your username and password directly into a form and they would login to your data (e.g. Basic Authentication is still used as a primitive form of API authentication for server-side applications: instead of sending a username and password to the server with each request, the user sends an API key ID and secret. This pattern was made famous by HTTP Basic Authentication, where the user is prompted for a username and password. OAuth was created as a response to the direct authentication pattern. So from now on, whenever I say “OAuth”, I’m talking about OAuth 2.0 – as it’s most likely what you’ll be using. Which one is more popular? Great question! Nowadays, OAuth 2.0 is the most widely used form of OAuth. These specifications are completely different from one another, and cannot be used together: there is no backwards compatibility between them. There are two versions of OAuth: OAuth 1.0a and OAuth 2.0. OAuth works over HTTPS and authorizes devices, APIs, servers, and applications with access tokens rather than credentials. More specifically, OAuth is a standard that apps can use to provide client applications with “secure delegated access”. To begin at a high level, OAuth is not an API or a service: it’s an open standard for authorization and anyone can implement it. I’m going to show you what OAuth is, explain how it works, and hopefully leave you with a sense of how and where OAuth can benefit your application. Some people think OAuth is a login flow (like when you sign into an application with Google Login), and some people think of OAuth as a “security thing”, and don’t really know much more than that. There’s a lot of confusion around what OAuth actually is.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |