OAuth 2.0 — A Layman's Explanation

OAuth

Before we get into what OAuth and OpenID Connect is, How it works, and all. Let me tell you the history associated with that.

Before we had OAuth, These sort of patterns existed a lot -
In 2010, During the signup process of Facebook, as soon as you finish up the registration process, a message pops up and says, let's find your friends on Facebook. To use the service, you need to provide your email address and your email password.

In 2010, FaceBook was asking your password to find your friends

Facebook uses your credentials to log into your email account to fetch your email contact.

Do you think that was an excellent way to connect with your friends?
Your answer would be No.

But without your details, How Facebook would provide you the friend suggestion service. It's impossible. Right?
Facebook needs your contact's email address to offer you that service. Actually, in the backend, Facebook validates your contact's email address against its database to suggest you, friends.

Being a user, you don't want to share your details but, you might be interested in the service provided by Facebook.

Developers call it Delegated Authorization Problem.

The Delegated authorization problem is Letting a third-party website/service provider access my data(for example — my email contacts) without giving it my password.
Developers came up with the concept of OAuth to solve the problem of delegated authorization.

Let's take a look at the example -

Suppose you open an OAuth-enabled website. For example — open a browser and navigate to the URL https://draw.io/.

Draw.io asking the end-user where to save the diagrams
Draw.io asking for authorization
Log in to Google

In this example, we have provided two permissions.

Granting the consent

The moment you allow it, Google will save your consent that you don't have any problems if this app adds new files, view or manage google drive files.

In the above example, we wanted to use the draw.io service and store our diagrams on google drive. With the help of OAuth, we achieved the requirement very beautifully without sharing our password to the third-party app.

To check how many websites/third-party apps are using your data on Google, navigate to https://myaccount.google.com/security and check out the list under Third-party apps with account access.

Third-party apps access

If the post explains to you the concept of OAuth in laymen's terms, Hit a clap. Also, do comment us for any suggestions/feedback.

🎖️ Founder of identity classes | 👨‍💻 IAM Expert — Saviynt, SailPoint, OKTA, OIM, OIG, OUD | Professional Trainer