OAuth: What Happens When You Log Into a Site with Google, Twitter, or Facebook

quote:

Logging into another site with your Google, Twitter, or Facebook account isn't just convenient; it's more secure than creating a new account, or entering your Google, Twitter, or Facebook password into a third-party site. That's where OAuth comes in. Here's how it works, and how it keeps your passwords safe on third-party sites.







The Story with OAuth, is that it acts as a doorkeeper, a guard between the users and third-party sites (apps)Here's the basic process described by LifeHacker

Lets say you want to use an app like Tweetgif to post funny, animated GIF files to your Twitter account. In order to do so, you need to give the Tweetgif app access to your account, so it can get your info and post tweets on your behalf. In the old days, you would have to give an app like Tweetgif your Twitter username and password, so it could log in and access those services. You not only had to trust them to use those credentials wisely, but also to keep them safe from hackers—that's a pretty big leap of faith. It's like giving your house keys to a stranger and trusting them not to make copies for all their friends and steal all of your stuff.



OAuth gets around this problem by only giving them access to the stuff you want them to access. Instead of asking you for your password, this happens:

1. In order to become a Twitter app, Tweetgif has acquired two tokens from the Twitter service: a "Consumer Key" and a "Consumer Secret". These are what create a connection between the consumer (in this case, Tweetgif) and the service provider (in this case, Twitter).

2. When you visit Tweetgif and ask it to access your Twitter account, it will redirect you back to Twitter. If you aren't logged in to Twitter, you log in now (remember, you're giving your username and password to Twitter itself, not to Tweetgif).Understanding OAuth: What Happens When You Log Into a Site with Google, Twitter, or Facebook

3. Twitter then asks you whether you want to authorize this app, and tells you what permissions its giving to the app. Maybe it can view your timeline, or maybe it can view your timeline and post on your behalf. In some cases, you may only be giving it access to your username and avatar, for use on sites like Lifehacker—it's just an easier, more secure way of commenting without having to create an account. When you click the "Authorize" button, it creates an "Access Token" and an "Access Token Secret". These are like passwords, but they only allow Tweetgif to access your account and do the things you've allowed it to do.

Thus, instead of giving the keys to your entire house, you've given a special key that only opens the one room you want them to access. But, in order to use this key, they have to go get it from the guard, and he can take it away from them at any time.


Here's a graphic that will help you picture the entire process.







To avoid problems, make sure you read the privacy policy of every app you link, and if you can, pay attention to the permissions each app is granted. If it does something you don't want it to do, just don't use the app. Or, alternatively, see if it has an option to turn that "feature" off in the app's settings