To OAuth or not to OAuth?
OAuth 2.0 continues to grow as the de facto standard for granting access to protected resources on the web. But that doesn’t mean that OAuth 2.0 is the right security solution for every use case.
Today, we will weigh the trade-offs of implementing OAuth 2.0 (which we’ll refer to simply as “OAuth” throughout the post), so that you can better decide if it’s the right approach for your project.
Interested in improving other areas of your security stack? TeamPassword lets your team effortlessly and safely share passwords. Click here to start protecting credentials and sensitive information right now with a free 14-day trial.
What is OAuth and some Key Points
OAuth (Open-Standard Authorisation Protocol) is a standard that defines how servers and services grant client applications permission to access protected resources. This means that OAuth itself isn’t a service but rather a set of guidelines for authorization.
It’s also crucial to remember that OAuth isn’t an authentication protocol. OAuth handles authorization (granting scopes of access), not identity verification.
With OAuth, authorization uses tokens rather than credentials. The process basically works as follows:
- The client asks the resource owner for authorization.
- Resource owner authorizes client.
- Authorization server grants tokens to the client.
- The client shows a token to the resource server.
Here, a client is any party who wants to access the user’s (resource owner) data in the resource server. Meanwhile, the authorization server is a service trusted by the resource server to authenticate users and issue access tokens.
Aside from tokens, the process also relies on scopes (levels of access) and flows (ways to retrieve tokens).
Pros and Cons of OAuth
OAuth solves many problems that arise from allowing unrelated services to securely access users’ resources. But as with any other solution, OAuth comes with both advantages and disadvantages.
- Avoids directly using credentials. A key benefit of using OAuth is that it doesn’t involve client applications directly accessing users’ login credentials, thus steering clear of the password anti-pattern.
- Works well at granting fine-grained levels of access. With scopes, OAuth provides a robust way to grant and manage different access levels and permission types for specific users or groups. For example, OAuth scopes allow you to restrict which tokens have read-only or write-only permissions.
- Offers broader access control methods. In addition to scopes, OAuth gives developers the ability to further restrict access through the use of temporary tokens set to expire at a pre-configured expiration time.
- May not be the simplest option in specific situations. In certain cases, OAuth can be a more complicated security option to work with than alternatives like API keys or HTTP OAuth. When implementing OAuth, there can be a steep learning curve and longer development time involved.
- Introduces other security risks. While OAuth takes away the need to share credentials among multiple client applications, it does come with its own set of security risks such as access token injection, token leakage, and MITM attacks.
- Can lead to interoperability issues. There’s no shortage of ready-made solutions to start integrating OAuth into any project. But the lack of a common format means that vendors and services have widely different implementations, which can result in incompatibility issues.
Should You Use OAuth?
With different strengths and drawbacks, OAuth can be the best approach in many situations. But it can also be the wrong choice in others.
When to Use OAuth
- There’s a need for a service to securely access another service on a user’s behalf (e.g., allowing Twitter to access users’ email contacts).
- Access needs to be restricted by different permission types, user channels, or data categories (e.g., Facebook’s access tokens covering various permissions for public developer partners).
- It’s more convenient and/or more secure for users to sign up for a service without sharing their credentials (e.g., SSO sign-in using Google).
When Not to Use OAuth
- A service only requires simple login or authentication (e.g., protocols like HTTP Basic OAuth, HTTP Digest, or API keys may be more suitable).
- There’s a need to support stronger security requirements like digitally-signed messages or signatures with asymmetric secrets (e.g., SAML-based SSO may be a better option).
- You’re not building a platform that third-party services need to integrate with (again, simpler security protocols and best practices can be the right approach).
The OAuth authorization standard makes many of the modern web’s features and capabilities possible. It allows apps, services, devices, and APIs to securely share protected resources. In this post, we took a look at OAuth’s various advantages and drawbacks, as well as learned when OAuth is and isn’t the right security tool for the job.
Speaking of security tools, another key area you need to look into to protect your data is password management. TeamPassword helps you conveniently and securely share passwords throughout your team and organization. Find out more with a 14-day free trial.