OAuth Explained

Something we’re busy with right now at ThoughtWorks Studios is introducing a gadget style of integration to our products. The plan is to support OpenSocial gadgets (focus on gadgets, not social for now), allowing our applications to show each others’ data in its native form. As we do not have a notion of shared or common users across the suite, one of the hurdles is how to handle authentication when, say, Mingle displays a Build Pipeline status gadget from Go. The Mingle user should only see what she’s allowed to see in Go, and Go should know that it’s showing something to that specific user. We are going to solve this issue by implementing OAuth 2.0. OAuth is a standard protocol that allows a user to share his private data between two sites without having to hand out his password to the site “borrowing” the data.

I’m proud to say that we’ve given something back and published not only an OAuth 2.0 Provider plugin for Rails but also a a series of Introductory videos that might help you understand OAuth without having to spend a couple days attempting to read an IETF specification, continually wiping the drool from your mouth. I should also note that the plugin’s README contains a lot of relevant information and references and might be worth checking out even if didn’t want to use it.

OAuth provides a nice, dare I say comforting, user experience. That’s the nice part of OAuth. The ease of use plus the growing adoption made it a no-brainer for us to use OAuth in our products. However, implementation wise, it still feels like a lot of moving parts as you’ll see in part 4 of the videos. I like my security (well all my software, but particularly security) software to have as little complexity as possible. OAuth is getting there, but I would not call it simple.

As to how OAuth 2.0 compares to 1.0, the Web Server flow in OAuth 2.0 is mostly similar to OAuth 1.0, less the nearly impossible to code correctly request signing. OAuth 2.0 simply states “Use SSL!” rather than ask client developers to code potentially buggy implementations of the request signature. That’s a good thing.

Here is the set of videos, where I exlain how the fictitious parsley.com personal financial portal uses OAuth to lookup user account information at Acme Bank: