OAuth's an authorization standard to access user information from a website that user is member on, without the need to know that user's password.
Problem
Imagine your friend comes up with a website where users post their pictures so others can rate them. He wants users to be able to get all their Facebook picture so they can be processed and uploaded onto his server or linked on his website for others to rate.
Facebook API allows website like this to have access to LIMITED information about user that he/she has granted, but due obvious security reasons facebook cannot allow everyone to access anyone's information. This information's only accessable when user himself grants you access to it.
To get access to user information you would need access to particular facebook API code to which you've been granted access.
Here's a general flow.
1. Your server/client application communicates with OAuth endpoint to make sure you're who you say you are. During this process your client id is being checked. If same client is used on different website google will throw an error. This process doesn't require any action from user side.
2. You send user to authorization page where user allows or denys permission you're asking for. If user allows it, you're sent back to redirect uri with 'Authorization code'.
3. 'Authorization code' now can used to get an 'access token' that you can exchange with server to get user info. Auth code is not sent alone, it's sent along with your secret ID, scope(info you want access to) and redirect URI..
4. Now if you asked user to give permission to access their pictures in step 2. You can use 'access token' to get their pictures and use them on your website for users to rate.
No comments:
Post a Comment