Milan Latinović
Software Engineer and Enterprise Architect
Token based authentication and authorization with OAuth
Open Authorization is commonly known as OAuth. This is an open standard for token based authentication and authorization on the internet.
OAuth provides a way for third party services to use user related data without user password. Also, OAuth means additional security for user account.
Let’s make things more simple.
Table of Contents
What if there would be no OAuth token based authentication?
Then user would have to give his password to third-party services. Once user want’s to remove some third-party service from his data, he would have to change password.
Then user would have to give his password to third-party services. Once user want’s to remove some third-party service from his data, he would have to change password.
Furthermore, this change means changing password for all other applications. Also, any other application could change user password anytime, which is not very safe.
Finally, if user gives password to some service, that service can see all user data. Password does not have information which data should be visible.
What is OAuth token?
OAuth acts as an intermediary on behalf of the end user. It communicates with third-party services using token.
API token is a unique identifier of an application requesting access to some service. This is actually token based authentication.
Furthermore, we can understand API tokens as a replacement to sending username/password over HTTP, which is not secure. However security problem still exists because someone could take and use the API token as well.
Example of OAuth Token usage
While ago I made a API service which uses JWT tokens for authorization. You can find more details here. This is a simple presentation of how API token can be used for authentication and authorization.
Further reading
If you are interested in this topic, you can find complete OAuth specification here.
Furthermore, there is a detailed tutorial about OAuth here.