What does OAuth stand for?
Open Authorization
OAuth is a standard for securely granting application permissions without sharing passwords.
In the valet key analogy, what does the valet key represent?
Access token
It allows access to specific data/features without revealing the full account or sensitive details.
Who is the Resource Owner in the OAuth process?
You (the person who owns the data)
For example, your photos on Google Photos.
What role does the App (Client) play in OAuth?
The application that wants to access your data
For example, a photo printing service.
What is the function of the Authorization Server/Resource Server?
Holds your data and handles permissions
Examples include Google and Facebook.
What is the first step in the OAuth flow when using an app?
You show intent by clicking a button
This button typically says something like ‘Connect to Google Photos’.
What happens after the app asks for permission in the OAuth process?
The app redirects you to the service’s sign-in page
It’s important to ensure you are on the official website.
What does the user do after being redirected to the sign-in page?
Log in & grant consent
You enter your credentials, which the app never sees.
What does Google provide after you grant consent in the OAuth process?
A one-time use code
This code is sent back to the app via a redirect link.
What does the app do with the code received from Google?
Exchanges the code for an access token
The access token acts like a valet key for accessing specific data.
What can you do at any time regarding an app’s access in OAuth?
Revoke the app’s access
This effectively breaks the valet key.
How do users typically use OAuth without realizing it?
- ‘Sign in with Google/Facebook/Apple’ buttons
- Granting apps access to data
- Linking accounts
These actions utilize OAuth to share information securely.
What is the first step for a developer wanting to use OAuth?
Register your app
This is done at the service’s developer portal.
What must a developer define when using OAuth?
A Redirect URI
This indicates where to send the user after granting permission.
What should developers use to handle OAuth processes?
The service’s library or API
This usually follows the ‘Authorization Code grant’ flow.
What is a key responsibility of the application regarding access tokens?
Manage tokens securely
This includes handling expiration and possibly using refresh tokens.
