On a recent project, I needed to consume a service that used OAuth for authentication. I had heard of OAuth, but I had not used the relatively new protocol. I was able to accomplish my goals without having to directly program to the OAuth spec, but I decided to dig a little deeper to learn more about the protocol’s guts.
An overview of OAuth
OAuth is designed to allow a user of an application to work with data from a service, without having to provide the application with credentials for the service. The big concept behind OAuth is that it uses tokens to allow applications to authenticate against services. When an application wants to work with a service, it requests a token from the service. This token is initially useless — that is, it cannot be used for authentication. Instead, the application asks the user to go to the service (behind the scenes, it passes data in the link or redirect about the token); when the user gets there, they log in with their pre-established credentials. This turns the token that the application received into an authorized token, allowing it to be used for authentication. This is called three legged authentication since it involves three actors: the application, the user, and the service. There is also two legged authentication between an application and the service, which does not require user intervention.
There is a lot more to how the protocol works than what I’ve outlined in this brief introduction; for more details, check out the OAuth website, and read the excellent articles about OAuth at hueniverse.
OAuth resources and code examples
Initially, I was going to write all of the access code myself, but I learned that the RestSharp library supports OAuth. If your plan is to work with a REST-style service, this is your best bet. RestSharp is an excellent library for working with REST services and makes it easy to deal with them.
For what I was working on, I could not use RestSharp due to the class structures involved. In addition, the service I was integrating with already had some outstanding sample code that required little modification to fit my needs — it was more of a routine, “write a lot of LINQ-to-XML to populate variables” kind of effort. That code used the DevDefined OAuth library with some modifications.
If you are interested in seeing the sample code that was so helpful to me, as well as a good video tutorial that shows how the three legged authentication works in practice, the Xero developer documentation is where to find it. Xero also has code samples and tutorials that show real-life OAuth usage.
OAuth can seem complex when you look at the spec and the details, but in reality, it’s not bad at all. It gives the services all the choices in the world to decide how to handle the authentication with the end user. The big advantage to using OAuth is that the consuming application doesn’t need to know the user’s credentials, which eliminates entire classes of security concerns.
I have a feeling that OAuth is going to become more popular in the future as more services offer non-SOAP interfaces. One place, for example, that is using OAuth is the Windows Azure Marketplace DataMarket, and no doubt others are coming soon.