Overview#

OAuth is a an open standard scalable Protocol for Delegation of Authorization to server resources using HTTP

Generally, OAuth is a solution to the Password Anti-Pattern.

OAuth provides an open standard scalable method for Relying Party to Grant access to server resources on behalf of a Resource Owner.

OAuth also provides a process for end-users to authorize third-party access to their server resources without sharing their credentials using User-agent redirections.[1]

OAuth 1.0#

OAuth 1.0 is defined by the Informational RFC 5849 in April 2010 and was OBSOLETED by RFC 6749.

OAuth 2.0[2]#

OAuth 2.0 is an evolution of the OAuth protocol and is not backward compatible with OAuth 1.0. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, Mobile Devices, and living room devices. The specification and associated RFCs are being developed within the IETF OAuth WG; the main framework was published in October 2012.

The OAuth 2.0 Framework and Bearer Token Usage were published in October 2012. Other documents are still being worked on within the OAuth working group.

Some OAuth Implementations#

• Facebook's new Graph API only supports OAuth 2.0.
• Google supports OAuth 2.0 as the recommended authentication mechanism for all of its APIs.
• As of 2011 Microsoft has added OAuth 2.0 experimental support to their APIs.

More Information#

There might be more information for this subject on one of the following:

• Access Proxy
• An IETF URN Sub-Namespace for OAuth
• Authentication Protocol
• Authenticator App
• Covert Redirect Vulnerability
• Curity
• FAPI Pushed Request Object
• Fast Healthcare Interoperability Resources
• Federated Authorization for UMA 2.0
• Identity Provider (IDP)
• Loopback Interface Redirection
• OAuth 2.0
• OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer
• OAuth 2.0 Security-Closing Open Redirectors in OAuth
• OAuth 2.0 Vulnerabilities
• OAuth 2.0 for Native Apps
• Open Bank Project
• OpenID Connect Scopes
• Portable Contacts
• RFC 5849
• Scopes vs Claims
• Single Sign-On Scenarios
• Token Binding Protocol
• Token Binding over HTTP
• User-Managed Access
• Web Authentication API
• Web Blog_blogentry_160718_1
• Why OpenID Connect
• Yadis

---

• [#1] - http://en.wikipedia.org/wiki/OAuth - Retrieved 2013-03-29
• [#2] - based loosely on http://en.wikipedia.org/wiki/OAuth - Retrieved 2013-03-29