by Charles Miller

Someone recently asked me to explain "OAuth." Well, actually she asked me to explain why some of her favorite websites say "Log in with Google+" or "Log in with Facebook" or "Log in with Twitter." That is OAuth.

OAuth (Open standard for AUTHorization) is a framework for an open standard security protocol for token-based authorization of logon credentials used on line. English translation: OAuth is the system used by some websites that allow you to use your Facebook or Google or some other password rather than making up a new password for that site. This means that you do not need to create or use a separate username and password for websites that offer the use of OAuth.

The following is an oversimplification, but basically the way OAuth works is that it simplifies logins for the user. For example, if you visit digitalocean.com and click on the [Login] button you will be prompted to enter your email address and the password you created for digitalocean.com. But, if you do not have a password for digitalocean.com you have the option of clicking on the [Sign in with Google] button. If you do that you will immediately be whisked away from the digitalocean.com site to the google.com site where you enter your Google username and password. Having done that, Google immediately sends you back to the digitalocean.com site along with a "token." Think of the token as a note from google.com to digitalocean.com saying "We at Google know this person; they know the right password to get into google.com so we at Google think you can safely let them into digitalocean.com now." If you are already logged in to Gmail then the process is even easier. The process for obtaining the token is called an authorization flow.

All this could be done without exposing any of your Google account credentials to the other third party website; however, companies such as Google usually provide OAuth in return for other sites handing over detailed tracking of everything you do on a website after using OAuth. I used the word "could" in the last sentence because… well, just remember you are often dealing with Google and/or Facebook here. Those companies derive much of their income from selling advertising and then selling your personal information. Giving them even more ways to more accurately track where you go and what you do online is not everyone's preference.

There are dozens of companies providing OAuth services; including Amazon, LinkedIn, PayPal, Yahoo and others. Near the top of the list is Apple, meaning you may use your AppleID to log into those sites that offer the [Sign in with Apple] option. That will give Apple a fuller view of your online habits, but Apple claims it does not sell your information. Given that Apple has a history of being one of the strictest and security-aware companies, it is easier to trust Apple than other OAuth providers that make their money from advertising and/or selling your information.

So should you use OAuth or not? There is no right or wrong answer here. If you are not put off by the pervasive tracking of your online activities, using OAuth can be a real convenience. Security-wise it is safer than a lot of other alternatives.

**************

Charles Miller is a freelance computer consultant with decades of IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted at 415-101-8528 or email FAQ8 (at) SMAguru.com.

Discover Lokkal:
Watch the two-minute video below.
Then, just below that, scroll down SMA's Community Wall.
Mission

Visit SMA's Social Network

Contact / Contactar