Building web apps that require logins are difficult when you aren’t familiar with standard security procedures. You can help secure your applications and avoid the security for usernames and passwords by implementing OAuth logins in your web development projects. OAuth lets you create a “Log in with Facebook” button on your website, and it makes login authorization much simpler for new website coders.
OAuth is a programming technology that acts as an intermediary between a resource provider and resource owner. The resource owner is you and your web app, and the resource provider is what your users leverage to log in to your site. Have you ever seen a website that says “Log in using Facebook?” These web apps use OAuth for single sign-on (SSO) processes to log in users without storing any sensitive data locally. Leveraging OAuth, you can create a secure, easy environment for your users to log in to your web app.
How OAuth Works
OAuth works with your code and the resource provider’s API. Take the Facebook example. When the user logs in to Facebook, he passes a user name and password to Facebook, Facebook checks the credentials against the stored user name and password system values and either allows or denies access. The same process works with OAuth security, except an extra step is added.
When you use OAuth in your apps, you embed the “Log in using Facebook” button on your website. You don’t manage any of the login processes. Instead, the user actually types the user name and password into a Facebook framed window. Your application doesn’t intercept the Facebook credentials at all. The resource provider (in this example, Facebook) accepts the user’s login credentials and then gives you a resource token. This resource token gives you access to the user’s information.
If you’re familiar with OAuth and this type of login process, you know that the provider tells the user what type of access you’re given. You must get the provider’s permission to access certain parts of a user’s information. The advantage of OAuth for users and web programmers is the tiered access. You might only need basic information for your application, so you tell the user that you’re only gaining access to basic information. The user must then explicitly give you access, so he can feel secure in knowing that you only have access to certain data. If the user decides to no longer give you access, the token can be revoked at any time. Your web app offers better security and users gain control of information permissions.
Once you have an API key from the resource provider and you have permission to access user information, you can then harness the information for your own reporting, sales and marketing. You still need to be careful and secure the information you’re given, but at least you don’t need to manage user names and passwords. When hackers attack system databases, they usually want access to user names and passwords. These credentials then give them access to other private resources. When you don’t store this data, hackers can’t use your web app for malicious purposes and ruin your reputation.
There are a number of providers that offer OAuth access. Facebook is probably the most popular, but you can also use it with Twitter, Reddit, AOL, Google, Etsy, Amazon, Instagram, Evernote and Microsoft to name a few.
Issues with OAuth
OAuth is used in several applications, but it’s not right for all web apps. One issue with OAuth is that you must use the resource provider’s API and you can only use the resources given to you. Users can also retract permissions at any time without giving you any notice.
You also need to get permission from each provider. For instance, if you want to incorporate Reddit, Facebook and Twitter data, you must work with all three APIs. Using multiple sources can be a nightmare for developers. You also need an API key from most providers, so you must get permission one-by-one.
For users, OAuth authentication is a matter of trust. For instance, web app owners can use OAuth to gain access to a user’s Facebook Wall. They could then post random messages to a user’s Wall without giving fair warning that the web app would be posting numerous messages. The result is that Facebook users disable the app after receiving complaints from friends and family. When you get permission to work with user information, don’t abuse your permissions.
Even though OAuth takes care of user logins, you still need to secure other data. For instance, you might get basic information from a Facebook user and store it in your database. You still don’t want this information to get hacked. Hackers can use basic information to then gain access to users’ social media accounts, email and even financial data. Your users’ information should always be one of the most important concerns when storing any private data.
Using OAuth has its advantages, but you still must implement good security and business logic in your web app. Check out OAuth and specific social media APIs to get more information on implementing communication between services.