This workshop will be retired on August 9, 2021.
Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
OAuth is a protocol that allows users of social networks to grant 3rd party websites access to profile information without revealing their username and passwords.
Links
- OAuth Wikipedia Entry
Several years ago,
the only way to share data between sites
0:00
was to get users to enter the username and
password into a third party's website.
0:04
This third party would then login on
behalf of the user to access an API.
0:10
This may sound reasonable at first, but
0:15
after a number of high profile hacks
[SOUND] something needed to change.
0:18
Hackers who would compromise a third
party site now have the usernames and
0:23
passwords for other sites, too.
0:28
This was until OAuth was released.
0:30
OAuth is a protocol for authorization.
0:33
Now there's an important distinction
between authorization and authentication.
0:37
Authentication is responsible for
identifying who you are and
0:42
authorization is responsible for
specifying what you can do.
0:47
So how does OAuth work?
0:51
Let's say we're building
an application and
0:54
we want developers to log in
using their GitHub profile.
0:57
Before GitHub allows us to do this,
1:01
we need to register our
application with them.
1:03
They'll give us a couple of tokens or
1:06
unique identifiers that will give
our application access to their API.
1:08
They normally come in the form of an ID or
key and secret.
1:14
You can think of it as a username and
password specifically for our application.
1:18
This allows providers like
GitHub to remove applications
1:23
that are abusing their
access to user information.
1:27
A typical case of abuse is using data for
unauthorized purposes such as spam.
1:30
We can use the ID in
secret in our application.
1:36
When the user wants to log into our RAP,
they are redirected to GitHub's page.
1:40
The user authenticates on GitHub
with a username and password,
1:44
and then they authorize our RAP to have
access to their profile information.
1:50
If the user is already
authenticated with the service,
1:55
the user won't see the login page, but
they'll see the authorization page.
1:59
The requested profile information is sent
back to our app for us to use in whatever
2:05
which way we want, in this case to
authenticate them with our application.
2:10
Along with profile information,
you get two specific tokens for the user,
2:16
an access token which allows you to
access all the parts of the API, and
2:21
in some circumstances a refresh token.
2:26
The refresh token is used
to renew access tokens
2:29
without forcing the user to
reauthenticate with the provider.
2:32
OAuth can be used to authorize
an application to work with the provider's
2:37
API, but in most cases it's
used to authenticate a user.
2:42
There are three main ways
to authenticate someone.
2:47
First, what they know,
like a password for logging in or
2:51
a secret phrase to reset a password.
2:55
Second, what they are.
2:58
Using biometric scanners to
recognize fingerprints, faces, or
3:00
irises, Apple uses Touch ID to read
fingerprints to authenticate people.
3:04
And Microsoft use face
detection in Windows Hello
3:10
to allow people to login
without a password.
3:14
Finally, there is what someone has.
3:17
For example, popular chat platform Slack
3:19
allows you to sign in via a magic
link sent to an email address.
3:22
Other apps may send a text
message with a unique code
3:27
to prove that you have access
to that telephone number.
3:30
Then there's two-factor authentication
where you have an app installed on your
3:33
phone that generates secret codes to
prove that you have the device and
3:38
you are who you say you are.
3:44
With OAuth we're authenticating
people with something that they have,
3:46
a valid profile with a trusted provider,
in this case, GitHub.
3:50
OAuth can be used to do more things
than just request profile information.
3:55
OAuth can request permission for
creating, reading, updating and
3:59
deleting all sorts of information
on a provider's website.
4:03
For example, with GitHub you could
give a third-party application
4:08
access to your private repositories.
4:12
Generally with passport, you're just
requesting profile information and
4:15
not opening your account for other users.
4:19
in the project we're building, we
are going to use passports to authenticate
4:22
users of GitHub and
Facebook in an Express application.
4:26
You need to sign up for Treehouse in order to download course files.
Sign up