What is OAuth?4:32 with Andrew Chalkley
OAuth is a protocol that allows users of social networks to grant 3rd party websites access to profile information without revealing their username and passwords.
Several years ago, the only way to share data between sites 0:00 was to get users to enter the username and password into a third party's website. 0:04 This third party would then login on behalf of the user to access an API. 0:10 This may sound reasonable at first, but 0:15 after a number of high profile hacks [SOUND] something needed to change. 0:18 Hackers who would compromise a third party site now have the usernames and 0:23 passwords for other sites, too. 0:28 This was until OAuth was released. 0:30 OAuth is a protocol for authorization. 0:33 Now there's an important distinction between authorization and authentication. 0:37 Authentication is responsible for identifying who you are and 0:42 authorization is responsible for specifying what you can do. 0:47 So how does OAuth work? 0:51 Let's say we're building an application and 0:54 we want developers to log in using their GitHub profile. 0:57 Before GitHub allows us to do this, 1:01 we need to register our application with them. 1:03 They'll give us a couple of tokens or 1:06 unique identifiers that will give our application access to their API. 1:08 They normally come in the form of an ID or key and secret. 1:14 You can think of it as a username and password specifically for our application. 1:18 This allows providers like GitHub to remove applications 1:23 that are abusing their access to user information. 1:27 A typical case of abuse is using data for unauthorized purposes such as spam. 1:30 We can use the ID in secret in our application. 1:36 When the user wants to log into our RAP, they are redirected to GitHub's page. 1:40 The user authenticates on GitHub with a username and password, 1:44 and then they authorize our RAP to have access to their profile information. 1:50 If the user is already authenticated with the service, 1:55 the user won't see the login page, but they'll see the authorization page. 1:59 The requested profile information is sent back to our app for us to use in whatever 2:05 which way we want, in this case to authenticate them with our application. 2:10 Along with profile information, you get two specific tokens for the user, 2:16 an access token which allows you to access all the parts of the API, and 2:21 in some circumstances a refresh token. 2:26 The refresh token is used to renew access tokens 2:29 without forcing the user to reauthenticate with the provider. 2:32 OAuth can be used to authorize an application to work with the provider's 2:37 API, but in most cases it's used to authenticate a user. 2:42 There are three main ways to authenticate someone. 2:47 First, what they know, like a password for logging in or 2:51 a secret phrase to reset a password. 2:55 Second, what they are. 2:58 Using biometric scanners to recognize fingerprints, faces, or 3:00 irises, Apple uses Touch ID to read fingerprints to authenticate people. 3:04 And Microsoft use face detection in Windows Hello 3:10 to allow people to login without a password. 3:14 Finally, there is what someone has. 3:17 For example, popular chat platform Slack 3:19 allows you to sign in via a magic link sent to an email address. 3:22 Other apps may send a text message with a unique code 3:27 to prove that you have access to that telephone number. 3:30 Then there's two-factor authentication where you have an app installed on your 3:33 phone that generates secret codes to prove that you have the device and 3:38 you are who you say you are. 3:44 With OAuth we're authenticating people with something that they have, 3:46 a valid profile with a trusted provider, in this case, GitHub. 3:50 OAuth can be used to do more things than just request profile information. 3:55 OAuth can request permission for creating, reading, updating and 3:59 deleting all sorts of information on a provider's website. 4:03 For example, with GitHub you could give a third-party application 4:08 access to your private repositories. 4:12 Generally with passport, you're just requesting profile information and 4:15 not opening your account for other users. 4:19 in the project we're building, we are going to use passports to authenticate 4:22 users of GitHub and Facebook in an Express application. 4:26
You need to sign up for Treehouse in order to download course files.Sign up