Security is one of the key concerns in the online world
today. The tech world knows about the recent compromise of security where
various LinkedIn passwords were hacked. Usually a large website like google.com
or Salesforce.com has various other websites linked to them which belong to the
same or different organization like gmail.com, blogger.com or Force.com,
radian6.com. To login, we enter our credentials into the main website and then,
we are redirected to the respective websites that we want to go to. In today’s
world this is enabled by security tokens which are shared between websites.
The above scenario is made possible using an open protocol
called OAuth. OAuth allows a website to access another website without exposing
a user's credentials. OAuth allows users to give out tokens for other websites
to access limited resources for a limited time. This is done using tokens and
consumer secret keys which are exchanged between the websites and users. This
is useful because even if a website security is compromised it gets only the
tokens and consumer keys which could be revoked. So the credentials are safe.
OAuth has two types of tokens, request token and access token.
We have a user and an application or a service (consumer) which wants limited
access from a website where the user has his login credentials. The service
will first ask for a request token from the website (say Salesforce). This
token has a consumer key and a consumer secret key. The request token redirects
the user to the website, where he enters his credentials. The user logs in and
the consumer now gets access to the website without the user having to provide
his credentials to the consumer. Consumer gets access after the user formally
approves giving access to the consumer. After the user approves the request,
the website marks the request token as approved by the user. The authorized
request token is then exchanged by the consumer for an access token. There may
be multiple requests using the access token, to finally get what the consumer
wants. This continuous exchange of tokens is sometimes termed as OAuth dance. All the tokens are time stamped and hence, the
consumer gets limited access. Also, the consumer never gets the actual user credentials.
This improves privacy as well as
security.
To learn more about OAuth:
No comments:
Post a Comment