OAuth is Handy
OAuth for Spring Security was released this week, and I thought
I'd take a stab at why you might be interested.
What is OAuth?
I like to explain OAuth by describing the problem it is trying to solve. So here goes.
Let's say you're a sizeable social networking site and you'd like to offer a feature to your users to allow them
to search their webmail contacts for import into their social network. The problem is, you (the "consumer")
need access to a resource that is protected by a another site (a.k.a. "service provider"). How do you go about doing that?
Option 1: Just ask the user for his/her credentials and promise that you won't store
them or do anything bad with them. Well, it works, I suppose, but this isn't a great general-purpose practice for online applications. And it's not hard
to see why. Sure, you might be trustworthy, but there are plenty of other sites who are not. And what about the service provider? How would you
feel about your users giving out their credentials to other sites that want access to the resources you protect?
Option 2: Use OAuth. OAuth is a protocol that was defined to address this problem. Continuing the above example, let's say that you've established a trust
with the webmail service providers. You share a "secret" (which in practical terms is a passphrase or a public key or something) that you can use to gain
access to the webmail contacts—provided, of course, that the user approves it. In order to gain this approval, all you have to do is redirect the user
to the login page of the webmail service provider and have the user tell the service provider that it's okay that you access his/her contacts.
OAuth is a protocol standard that can be used to enable this mechanism.
How do I try it out?
OAuth for Spring Security has a really
nice tutorial that walks you through setting up both a service provider and a consumer on your local box. Once those are set up, you can see OAuth in
action by walking through the user flow.
How do learn more?