OAuth is an open standard protocol used to allow third-party access to user information from an existing account at a website or application. When using OAuth, user information can be transmitted to a third-party without granting access to the user’s password information. Users would encounter OAuth when they intend to use an application or website without directly signing up through the password anti-pattern system. The protocol was designed by a workgroup that collaborated with the Internet Engineering Task Force (IETF).
OAuth 1.0 was released on December 2007, with a more secure version released in June 2009 under OAuth 1.0a. OAuth 1.0 operates by managing the user and server’s (the website hosting the user’s account) authorization for the client’s (third-party website or application) access to the user’s information.
OAuth 1.0’s process starts through the client’s issuing of a temporary credential request and a set of authorization URIs to the server. After approval from the server, the client can send an authorization request to the user through the server. If the user approves the request, the client needs to send a token credential request to the server using its temporary credentials. After the server sends the token credentials to the client, the client can access the user’s information.
OAuth 2.0 was released on October 2012. It operates differently from OAuth 1.0. To access the user information, the client must first send an authorization request to either the user or the server. Afterward, the client would receive an authorization grant from either two, in the form of one of these four: authentication code, implicit, user password credentials, or client credentials. With the grant, the client can then request an access token to the server, which when approved by the server, would provide the client with access as detailed in the request.