Several years ago, the only way to share data between sites

was to get users to enter the username and password into a third party's website.

This third party would then login on behalf of the user to access an API.

This may sound reasonable at first, but

after a number of high profile hacks [SOUND] something needed to change.

Hackers who would compromise a third party site now have the usernames and

passwords for other sites, too.

This was until OAuth was released.

OAuth is a protocol for authorization.

Now there's an important distinction between authorization and authentication.

Authentication is responsible for identifying who you are and

authorization is responsible for specifying what you can do.

So how does OAuth work?

Let's say we're building an application and

we want developers to log in using their GitHub profile.

Before GitHub allows us to do this,

we need to register our application with them.

They'll give us a couple of tokens or

unique identifiers that will give our application access to their API.

They normally come in the form of an ID or key and secret.

You can think of it as a username and password specifically for our application.

This allows providers like GitHub to remove applications

that are abusing their access to user information.

A typical case of abuse is using data for unauthorized purposes such as spam.

We can use the ID in secret in our application.

When the user wants to log into our RAP, they are redirected to GitHub's page.

The user authenticates on GitHub with a username and password,

and then they authorize our RAP to have access to their profile information.

If the user is already authenticated with the service,

the user won't see the login page, but they'll see the authorization page.

The requested profile information is sent back to our app for us to use in whatever

which way we want, in this case to authenticate them with our application.

Along with profile information, you get two specific tokens for the user,

an access token which allows you to access all the parts of the API, and

in some circumstances a refresh token.

The refresh token is used to renew access tokens

without forcing the user to reauthenticate with the provider.

OAuth can be used to authorize an application to work with the provider's

API, but in most cases it's used to authenticate a user.

There are three main ways to authenticate someone.

First, what they know, like a password for logging in or

a secret phrase to reset a password.

Second, what they are.

Using biometric scanners to recognize fingerprints, faces, or

irises, Apple uses Touch ID to read fingerprints to authenticate people.

And Microsoft use face detection in Windows Hello

to allow people to login without a password.

Finally, there is what someone has.

For example, popular chat platform Slack

allows you to sign in via a magic link sent to an email address.

Other apps may send a text message with a unique code

to prove that you have access to that telephone number.

Then there's two-factor authentication where you have an app installed on your

phone that generates secret codes to prove that you have the device and

you are who you say you are.

With OAuth we're authenticating people with something that they have,

a valid profile with a trusted provider, in this case, GitHub.

OAuth can be used to do more things than just request profile information.

OAuth can request permission for creating, reading, updating and

deleting all sorts of information on a provider's website.

For example, with GitHub you could give a third-party application

access to your private repositories.

Generally with passport, you're just requesting profile information and

not opening your account for other users.

in the project we're building, we are going to use passports to authenticate

users of GitHub and Facebook in an Express application.