What is OAuth?

Several years ago, the only way to share data between sites 0:00 was to get users to enter the username and password into a third party's website. 0:04 This third party would then login on behalf of the user to access an API. 0:10 This may sound reasonable at first, but 0:15 after a number of high profile hacks [SOUND] something needed to change. 0:18 Hackers who would compromise a third party site now have the usernames and 0:23 passwords for other sites, too. 0:28 This was until OAuth was released. 0:30 OAuth is a protocol for authorization. 0:33 Now there's an important distinction between authorization and authentication. 0:37 Authentication is responsible for identifying who you are and 0:42 authorization is responsible for specifying what you can do. 0:47 So how does OAuth work? 0:51 Let's say we're building an application and 0:54 we want developers to log in using their GitHub profile. 0:57 Before GitHub allows us to do this, 1:01 we need to register our application with them. 1:03 They'll give us a couple of tokens or 1:06 unique identifiers that will give our application access to their API. 1:08 They normally come in the form of an ID or key and secret. 1:14 You can think of it as a username and password specifically for our application. 1:18 This allows providers like GitHub to remove applications 1:23 that are abusing their access to user information. 1:27 A typical case of abuse is using data for unauthorized purposes such as spam. 1:30 We can use the ID in secret in our application. 1:36 When the user wants to log into our RAP, they are redirected to GitHub's page. 1:40 The user authenticates on GitHub with a username and password, 1:44 and then they authorize our RAP to have access to their profile information. 1:50 If the user is already authenticated with the service, 1:55 the user won't see the login page, but they'll see the authorization page. 1:59 The requested profile information is sent back to our app for us to use in whatever 2:05 which way we want, in this case to authenticate them with our application. 2:10 Along with profile information, you get two specific tokens for the user, 2:16 an access token which allows you to access all the parts of the API, and 2:21 in some circumstances a refresh token. 2:26 The refresh token is used to renew access tokens 2:29 without forcing the user to reauthenticate with the provider. 2:32 OAuth can be used to authorize an application to work with the provider's 2:37 API, but in most cases it's used to authenticate a user. 2:42 There are three main ways to authenticate someone. 2:47 First, what they know, like a password for logging in or 2:51 a secret phrase to reset a password. 2:55 Second, what they are. 2:58 Using biometric scanners to recognize fingerprints, faces, or 3:00 irises, Apple uses Touch ID to read fingerprints to authenticate people. 3:04 And Microsoft use face detection in Windows Hello 3:10 to allow people to login without a password. 3:14 Finally, there is what someone has. 3:17 For example, popular chat platform Slack 3:19 allows you to sign in via a magic link sent to an email address. 3:22 Other apps may send a text message with a unique code 3:27 to prove that you have access to that telephone number. 3:30 Then there's two-factor authentication where you have an app installed on your 3:33 phone that generates secret codes to prove that you have the device and 3:38 you are who you say you are. 3:44 With OAuth we're authenticating people with something that they have, 3:46 a valid profile with a trusted provider, in this case, GitHub. 3:50 OAuth can be used to do more things than just request profile information. 3:55 OAuth can request permission for creating, reading, updating and 3:59 deleting all sorts of information on a provider's website. 4:03 For example, with GitHub you could give a third-party application 4:08 access to your private repositories. 4:12 Generally with passport, you're just requesting profile information and 4:15 not opening your account for other users. 4:19 in the project we're building, we are going to use passports to authenticate 4:22 users of GitHub and Facebook in an Express application. 4:26