What is OAuth?
OAuth is a protocol used to exchange authorization information, enabling multiple online services to interact under the user's permission. "OAuth 1.0" was published as RFC 5849 in April 2010, and "OAuth 2.0" followed as RFC 6749 in October 2012.
Imagine you want to post a photo on Instagram and automatically share it on Twitter. Manually accessing both services to make the same post can be tedious. Instead, Instagram offers a feature called cross-posting, which allows automatic sharing of your Instagram posts on other social networks, such as Twitter, by using their APIs. This process is facilitated by OAuth.
To post on Twitter, typical authentication requires a user ID and password, referred to as Basic Authentication. However, sharing these sensitive credentials with another service is risky. OAuth solves this by exchanging authorization information rather than authentication credentials, granting limited permissions for the task.
In OAuth terminology:
To initiate the process, the OAuth client must first register itself with the OAuth server by providing details like its application name and domain. If the OAuth server deems the client trustworthy, it assigns a Client ID.
When the user (Resource Owner) gives authorization, the OAuth client redirects the user to the OAuth server. The OAuth server authenticates the user and asks whether the indicated permissions should be granted to the OAuth client. Upon the user's approval, the server redirects the user back to the OAuth client, granting an Access Token. This token serves as proof of authorization, allowing the OAuth client to access the OAuth server’s API. The token remains valid until it expires or is explicitly revoked.