Ryan Heaton's Blog: OAuth is Handy

My pages	Projects	Communities	java.net

Get Involved

java-net Project

Request a Project

Project Help Wanted Ads

Publicize your Project

Get Informed

java.net Online Books

java.net Archives

Get Connected

java.net Forums

Wiki and Javapedia

People, Partners, and Jobs

Java User Groups

RSS Feeds

Search

Online Books:

Advanced Search

Ryan Heaton's Blog

«Enunciate 1.7: Security and Custom Content Types | Main

OAuth is Handy

Posted by stoicflame on May 16, 2008 at 09:50 AM | Comments (0)

OAuth for Spring Security was released this week, and I thought I'd take a stab at why you might be interested.

What is OAuth?

I like to explain OAuth by describing the problem it is trying to solve. So here goes.

Let's say you're a sizeable social networking site and you'd like to offer a feature to your users to allow them to search their webmail contacts for import into their social network. The problem is, you (the "consumer") need access to a resource that is protected by a another site (a.k.a. "service provider"). How do you go about doing that?

Option 1: Just ask the user for his/her credentials and promise that you won't store them or do anything bad with them. Well, it works, I suppose, but this isn't a great general-purpose practice for online applications. And it's not hard to see why. Sure, you might be trustworthy, but there are plenty of other sites who are not. And what about the service provider? How would you feel about your users giving out their credentials to other sites that want access to the resources you protect?

Option 2: Use OAuth. OAuth is a protocol that was defined to address this problem. Continuing the above example, let's say that you've established a trust with the webmail service providers. You share a "secret" (which in practical terms is a passphrase or a public key or something) that you can use to gain access to the webmail contacts—provided, of course, that the user approves it. In order to gain this approval, all you have to do is redirect the user to the login page of the webmail service provider and have the user tell the service provider that it's okay that you access his/her contacts.

OAuth is a protocol standard that can be used to enable this mechanism.

How do I try it out?

OAuth for Spring Security has a really nice tutorial that walks you through setting up both a service provider and a consumer on your local box. Once those are set up, you can see OAuth in action by walking through the user flow.

How do learn more?