What is OAuth Authentication? A Brief History.
OAuth 2.0 Authentication, as explained by oauth.net, is a “delegation protocol that is used for conveying authorization decisions across a network of web-enabled applications and APIs.” OAuth was created in 2006 by developers from Twitter and Ma.gnolia, a social bookmarking site. Ma.gnolia was looking for a way to use OpenID, along with the Twitter API, to delegate authentication. The teams researched ideas and eventually realized that there was no open standard for API access delegation. Furthermore, Google was also researching this same problem and heard about the project between Twitter and Ma.gnolia. As a result, members from Google joined the team. By the end of 2007, OAuth Core 1.0 draft was released. The current framework, OAuth 2.0 was released in October of 2012.
OAuth 2.0 Authentication Roles
Within OAuth 2.0, the following four roles are defined:
- Resource owner. The resource owner can grant access to a protected resource or service. It can be a person, an application, or security policy, but typically a real-life human being.
- Resource server. The is the server that hosts the resource or service. The server accepts and responds to requests.
- Client application. Referred to as the OAuth client, the client application is the application that asks for access to resources on the resource server.
- Authorization server. After authenticating the resource owner, and obtaining authorization, the authorization server then provides the access tokens to the client.
It’s important to note that OAuth is not an authentication protocol, rather, it is an authorization protocol. The way the components work together and interact may seem to suggest authentication, however, it is not intended to be used as such.
Why Use OAuth 2.0 Authentication?
Odds are that you have already seen the OAuth concept in action and not even realized it. Many of the applications you use every day utilize OAuth. For example, let’s say you’re shopping for an item and you find it on Etsy. You’d like to buy it, but the only problem is that you don’t have an Etsy account. On the Etsy homepage, you’ll see an option to login using your Facebook or Google account. In this case, you are resource owner, Etsy is the client application, and Facebook or Google is the API, or the authorization server. Now, you’ll have to provide Etsy with some additional information to purchase items, but by using OAuth Authentication, this allows you to log into Etsy without having to create an additional password. Today, logging in using Facebook or Google has become ubiquitous across the Internet, so what’s really the benefit of OAuth?
- Protecting your Privacy. Using OAuth allows you to grant private resources from one site to another. OAuth is intended to give you access to certain things without sharing your identity.
- Customer experience. In the example used above, using your Facebook data might allow Etsy to improve your experience on their app.
- Stronger authentication. Relying on an authentication system created by larger companies, like Facebook or Google, is easier, and less risky, than creating one in-house.
Additionally, and specifically for developers, there are OAuth libraries in a variety of popular languages, including PHP, Java, Ruby, Python, .NET, JavaScript, and many others. For the full list of languages supported, visit https://oauth.net/code/.
Monitoring OAuth 2.0 APIs with Dotcom-Monitor
Your API may require OAuth 2.0 authentication to allow other web services, such as client applications, to be granted access rights to specific resources on your service over HTTP/S. A service API call that utilizes OAuth 2.0 must, at a minimum,ypically follow these steps:
- Getting an API access token.
- Requesting custom data from the service using the access token awarded to the application.
With the Dotcom-Monitor platform, you can configure a multi-task monitoring device using an HTTP/S task. To see examples of OAuth Authentication scripts within the Dotcom-Monitor platform, and to learn more about how to configure a monitoring device to monitor the availability and performance of OAuth-based web API’s, read our Knowledge Base article about monitoring OAuth 2.0 APIs.
