Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

OAuth 2.0: Pros and cons of using the federation protocol

Learn the advantages and disadvantages of using Open Authorization for Web application authentication.

Our organization is strongly leaning toward integrating OAuth into our Web application authentication architecture...

in order to support both standard and mobile Web apps. Are there any downsides to using OAuth, particularly with mobile applications, or any reasons why we should consider other methods or federation protocols?

OAuth 2.0 (Open Authorization) is currently nearing finalization as an IETF standard. It is a federation protocol aimed at simplifying authorization and access to protected data by giving access to data while protecting the owner’s account credentials. It allows a user with an account on one website (the service provider) to allow another website (the consumer) to access his or her data from the first website. Users can give out tokens instead of credentials -- typically their username and password -- to share access to their private resources such as documents, images and calendars hosted on the Internet. A token can grant access to a specific resource for a specific duration so resources can be shared with a third party without having to grant complete access to all the data. This is a far better solution than users sharing their usernames and passwords with each other in order to access each other’s data.

One of the potential benefits of OAuth 2.0 is the ability for users to share verifiable assertions about themselves without having to release any personally identifiable information.  Allowing your customers to either aggregate your information about them or share information about themselves from another site with your application could greatly improve your services, tying together functionality from other sites while reducing costs at the same time.

OAuth is used by many large sites, including Twitter, Facebook and Google. Choosing an alternative protocol would be difficult given this level of support from the biggest sites on the Net, but OAuth is not a simple plug-and-play technology. When using the OAuth protocol, you need a secret string obtained from the service you want to delegate to. From reading various blogs and forums, I gather that developers struggle with managing this secret on mobile devices, as storing it in the application means it could be found and misused.

Ask a question

SearchSecurity.com expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email: editor@searchsecurity.com.

Also remember that OAuth is about giving access to resources without sharing the owner’s identity or credentials; i.e., a temporary data transfer authorization. Users still have to sign in at some point with a username or password, even if they’re using OpenID and using a single identity to sign into many sites. I would conduct some usability tests on your proposed design to see how your users react. Some may prefer to enter a username and password rather than click to login to Twitter, enter their username/password there, click submit, click approve and finally return to your site.

We are still some way off from a standardized authentication and authorization framework for mobile applications, but companies for whom it’s a key aspect of their business model, such as Google, are working on it. Until then, OAuth 2.0 is probably your best bet as long as you bear in mind your users’ requirements as well as your own.

This was last published in November 2011

Dig Deeper on Web authentication and access control

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

ID federations (single-sign-on services and password managers) create a single point of failure, not unlike putting all the eggs in a basket. It remembers all my passwords when un-hacked and loses all my passwords to criminals when hacked. It should be operated in a decentralized formation or should be considered mainly for low-security accounts, not for high-security business which should desirably be protected by all different strong passwords unique to each account. Needless to say, the strength of the master-password is crucially important. At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.