OAuth and Auth …entication? …orization?

I had a funny experience a while back where I had a manager who tasked me with adding security to the service we were working on. He did me the favor first of going into the code and adding the core classes I would need.

…uh, thanks.

But our architectural direction was toward OAuth. So when I looked at the classes he’d created, I noticed they were all “Authenticate” or “Authenticated” names. Not “Authorize” or “Authorized” names.

Ouch. OK so he didn’t get the memo.

Then I moved to another team, and things were going swimmingly, until I got in an argument with my new manager about whether we were standing up an “Authorization” service or an “Authentication” service.

Sheesh. I guess great minds think — or don’t think — alike. History replicates itself in miniature.

Let’s be clear: OAuth is an *authorization* scheme, about allowing or disallowing access to resources and operations. It’s really about protecting data, and whether the owner of that data has authorized access to that data. Authentication is left as a “fill in the blank” step early in the process.

Authentication in OAuth is a moment in time — it’s a blip that happens early in the OAuth dance. The user supplies credentials, we validate them, and then we’re done with that. OAuth is not Basic Auth where, the client sends username and password every time. OAuth is the opposite of that. The client supplies credentials once, and if that’s OK, we get a token and don’t worry about it again.

In OAuth, the whole point is to provide an authorization scheme. That is, a client coming in to make a request is either authorized to make that request or not.

To use a metaphor, only people wearing Blue badges can get through this door. That’s the authorization process.

To further the badge metaphor, the guard at the front gate will check your driver’s license and the photo on your badge *once* to make sure you are you you say you are. That’s the authentication process.

After that you’re free to roam around where you badge authorizes you to go.

So I guess this post is for my *next* manager, anticipating the argument we’ll have over the difference between authentication and authorization in OAuth.


Leave a comment

Filed under OAuth

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s