HTML and CSS Reference
In this appendix, we'll walk through the process of authenticating users within your web app using their existing social
media accounts, thus eliminating the need for yet another username-password combo on yet another site.
To accomplish this, we'll be using the OAuth protocol.
What Is OAuth?
According to the OAuth home page, OAuth is “an open protocol to allow secure API authorization in a simple and
standard method from desktop and web applications.” 1
What that means at a high level is that OAuth provides a way for your app to access a user's other accounts, such
as Facebook, without requiring the user's Facebook password to be entered into your app.
To get a little more in depth, OAuth provides a standardized protocol for developers to register with a service
provider, obtain credentials, and use those credentials to let their app request permissions from the service provider
on a user's behalf.
The History of OAuth
OAuth 1.0 was finalized in 2007 as the answer to a problem that had been plaguing developers as sites like Facebook
and Twitter exploded in popularity. How can these sites interact with each other without requiring users to give their
passwords to the other apps?
Early adopters of Twitter were inundated with new apps, tools, and services that augmented Twitter, automated
tweets, connected people with similar interests, and showed myriad other interesting ways to use the Twitter
platform. Unfortunately, to use one of these apps, users were originally required to enter their Twitter username and
password to grant the app access to the account. This access was unrestricted, so users simply trusted that these app
developers would be responsible and hoping for the best.
Obviously, this was not a sustainable model.
OAuth emerged as an alternative authentication protocol after the team behind it studied many of the proprietary
solutions that existed—services such as Google AuthSub, AOL OpenAuth, and the Amazon Web Services API—and
combined the best practices into an open protocol that would be easy for any service to use and any developer to
OAuth is currently working on the OAuth 2.0 draft, which has been implemented by several service providers,