OAuth Introduction

Before we dive into OAuth, I would first like to discuss a problem.

Consider we want to use a new app called PicsArt, which allows us to beautify our images. We just need to upload our images and this app gives us some options to edit our images.

This app provides us a few methods to upload images, such as from the phone gallery or a direct upload from our social media accounts like Facebook or Instagram.

The problem is, the PicsArt app needs access to our Facebook account to access our images.

Here are a few methods to solve this problem:

In the first method, we can share the credentials with the client app which it can use to access our images

1. The PicsArt app will ask us to provide our Facebook credentials.

2. The app will use those credentials to access our images from Facebook.

This is the most insecure way to give access to our resources, as we can’t trust any third-party app. There is no way for us to guarantee that the app will only access our images and will not post anything on Facebook. Also, what if we don’t want this app to access our images anymore? Will we change our credentials then?

The second method solves this problem in a much secure way and forms the basis for OAuth.

Here is what the flow will look like:

Consider a user Alex is using the PicsArt app.

1. The PicsArt app will request Facebook to provide access to Alex’s images.

2. Facebook will confirm with Alex if it can provide access to his images to the PicsArt app.

3. Alex will allow Facebook to provide image access to PicsArt.

4. Facebook will share a token with the PicsArt app. Each time it needs to access the images, it can send the token to Facebook. This is a JWT token, which we discussed in the last chapter.