OAuth\u00c2\u00a0is an\u00c2\u00a0open standard\u00c2\u00a0for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.\u00c2\u00a0This mechanism is used by companies such as Amazon,\u00c2\u00a0Google, Facebook, Microsoft and Twitter to permit the users to share information about their accounts with third party applications or websites.<\/p>\n
Generally, OAuth provides to clients a “secure delegated access” to server resources on behalf of a resource owner. It specifies a process for resource owners to authorize third-party access to their server resources without sharing their credentials. Designed specifically to work with\u00c2\u00a0Hypertext Transfer Protocol\u00c2\u00a0(HTTP), OAuth essentially allows\u00c2\u00a0access tokens\u00c2\u00a0to be issued to third-party clients by an authorization server, with the approval of the resource owner. The third party then uses the access token to access the protected resources hosted by the resource server.<\/p>\n
OAuth is a service that is complementary to and distinct from\u00c2\u00a0OpenID. OAuth is unrelated to\u00c2\u00a0OATH, which is a\u00c2\u00a0reference architecture\u00c2\u00a0for\u00c2\u00a0authentication, not a\u00c2\u00a0standard\u00c2\u00a0for\u00c2\u00a0authorization. However, OAuth is directly related to\u00c2\u00a0OpenID Connect (OIDC)\u00c2\u00a0since OIDC is an authentication layer built on top of OAuth 2.0. OAuth is also unrelated to\u00c2\u00a0XACML, which is an authorization policy standard. OAuth can be used in conjunction with XACML where OAuth is used for ownership consent and access delegation whereas XACML is used to define the authorization policies (e.g. managers can view documents in their region).<\/p>\n
OAuth 2.0 is not backwards compatible with OAuth 1.0. OAuth 2.0 provides specific authorization flows for web applications, desktop applications, mobile phones, and\u00c2\u00a0smart devices. The specification and associated RFCs are developed by the IETF OAuth WG;\u00c2\u00a0the main framework was published in October 2012.<\/p>\n
Facebook’s\u00c2\u00a0Graph API\u00c2\u00a0only supports OAuth 2.0.\u00c2\u00a0Google\u00c2\u00a0supports OAuth 2.0 as the recommended authorization mechanism for all of its\u00c2\u00a0APIs.\u00c2\u00a0Microsoft\u00c2\u00a0also supports OAuth 2.0 for various APIs and its Azure Active Directory service,\u00c2\u00a0which is used to secure many Microsoft and third party APIs.<\/p>\n
The OAuth 2.0 Framework\u00c2\u00a0and Bearer Token Usage\u00c2\u00a0were published in October 2012.<\/p>\n
OAuth 1.0:<\/span><\/p>\n On 23 April 2009, a\u00c2\u00a0session fixation\u00c2\u00a0security flaw in the 1.0 protocol was announced. It affects the OAuth authorization flow (also known as “3-legged OAuth”) in OAuth Core 1.0 Section 6.\u00c2\u00a0Version 1.0a of the OAuth Core protocol was issued to address this issue.<\/p>\n OAuth 2.0:<\/span><\/p>\n In January 2013, the Internet Engineering Task Force published a threat model for OAuth 2.0.\u00c2\u00a0Among the threats outlined is one called “Open Redirector”; in the spring of 2014, a variant of this was described under the name “Covert Redirect” by Wang Jing.<\/p>\n OAuth 2.0 has been analyzed using formal web protocol analysis. This analysis revealed that in setups with multiple authorization servers, one of which is behaving maliciously, clients can become confused about the authorization server to use and may forward secrets to the malicious authorization server (AS Mix-Up Attack).\u00c2\u00a0This prompted the creation of a new\u00c2\u00a0best current practice\u00c2\u00a0internet draft that sets out to define a new security standard for OAuth 2.0.\u00c2\u00a0Assuming a fix against the AS Mix-Up Attack in place, the security of OAuth 2.0 has been proven under strong attacker models using formal analysis.<\/p>\n One implementation of OAuth 2.0 with numerous security flaws has been exposed.<\/p>\n In April\u00e2\u20ac\u201cMay 2017, about one million users of\u00c2\u00a0Gmail\u00c2\u00a0(less than 0.1% of users as of May 2017) were targeted by an OAuth-based phishing attack, receiving an email purporting to be from a colleague, employer or friend wanting to share a document on Google Docs.\u00c2\u00a0Those who clicked on the link within the email were directed to sign in and allow a potentially malicious third-party program called “Google Apps” access their “email account, contacts and online documents”.\u00c2\u00a0Within “approximately one hour”,\u00c2\u00a0the phishing attack was stopped by Google, who advised those who had given “Google Apps” access to their email to revoke such access and change their passwords.<\/p>\n OAuth can be used as an authorizing mechanism to consume secured\u00c2\u00a0RSS\/ATOM\u00c2\u00a0feeds. Consumption of RSS\/ATOM feeds that require authentication has always been an issue. For example, an RSS feed from a secured\u00c2\u00a0Google Site\u00c2\u00a0could not have been consumed using\u00c2\u00a0Google Reader. Instead, three-legged OAuth would have been used to authorize that RSS client to access the feed from the Google Site. It can also be used as a means to login without creating an account on any site and all the benefits of the host of the OAuth system.<\/p>\n The above is a brief about OAuth. Watch this space for more updates on the latest trends in Technology.<\/p>\n","protected":false},"excerpt":{"rendered":" OAuth\u00c2\u00a0is an\u00c2\u00a0open standard\u00c2\u00a0for access delegation,<\/p>\n","protected":false},"author":1,"featured_media":1619,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[547,545,7],"tags":[548,546,18],"class_list":["post-1617","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-api","category-oauth","category-techtrends","tag-api","tag-oauth","tag-technology"],"_links":{"self":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/comments?post=1617"}],"version-history":[{"count":1,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1617\/revisions"}],"predecessor-version":[{"id":1618,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/posts\/1617\/revisions\/1618"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/media\/1619"}],"wp:attachment":[{"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/media?parent=1617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/categories?post=1617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.amt.in\/index.php\/wp-json\/wp\/v2\/tags?post=1617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}