Web users today have their social data scattered across different social sites and they want to access and use this data from outside these sites. This leaves developers facing a serious security challenge: how to enable users to access their private data in social sites without having to share their credentials. OAuth is the perfect solution. This open authorization protocol allows standard and secure API authorization without exposing the user's credentials. OAuth also provides a mechanism to grant limited access (in scope, duration, and so on).
At a high level, the elements involved in the OAuth token-based authorization system are:
- User: Social network (Orkut, Facebook, Twitter, iGoogle, etc.) users like you and me
- OAuth Provider: Web site or social networking site where the user's private resources are stored
- OAuth Consumer: Web site, social networking site, mobile device, set-top box, etc. trying to access the protected resource on the other site
In his Web Developer's Virtual Library (WDVL) article, Jaswinder Singh takes you through the necessary steps for implementing OAuth on both the consumer and provider sides. He uses the example of an OAuth Consumer (Google OAuth gadget) that is trying to access the protected resources stored at an OAuth Provider.