Applications have long provided ways to enable other applications to access their API. In the past this has involved naked, plain-text password storage that provided the illusion of users securely giving permission to access the API in their name. oAuth removes this illusion, "putting the clothes" back on authorization so user data remains secure in an open, standards-supported way.
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
How to Avoid Losing Your Pants Using oAuth
1. HOW TO AVOID LOSING
YOUR PANTS
USING OAUTH
EVERYTHING YOU NEED TO KNOW TO KEEP YOUR USERS
SAFE AND MAINTAIN YOUR SANITY WITH OAUTH
JESSE STAY
CEO, SOCIALTOO.COM
HTTP://STAYNALIVE.COM
2. A LONG TIME AGO, IN A GALAXY FAR, FAR AWAY, THERE
WAS A STORY OF A WISE OLD EMPEROR...
OKAY, NOT THIS EMPEROR!
13. BASIC FLOW OF AN OAUTH APP
USER VISITS
APPLICATION, CLICKS
“AUTHORIZE” BUTTON
14. BASIC FLOW OF AN OAUTH APP
USER VISITS
CONSUMER, CLICKS
“AUTHORIZE” BUTTON
CONSUMER REDIRECTS
USER TO SERVICE
PROVIDER FOR AUTH
15. BASIC FLOW OF AN OAUTH APP
USER VISITS
CONSUMER, CLICKS
“AUTHORIZE” BUTTON
CONSUMER REDIRECTS
USER TO SERVICE
PROVIDER FOR AUTH
PROVIDER RETURNS
USER TO CONSUMER
W/ TOKEN TO ACT ON
BEHALF OF PROVIDER
FOR THAT USER
16. “BEHIND” THE SCENES
CONSUMER FORMATS
A REQUEST TO
PROVIDER TO GET A
REQUEST TOKEN,
APPENDS REQUEST
TOKEN TO THE
PROVIDER AUTH URL
CONSUMER THEN
REDIRECTS USER TO
PROVIDER AUTH URL
W/ THE REQUEST
TOKEN
17. “BEHIND” THE SCENES
USER AUTHENTICATES
WITH PROVIDER,
AUTHORIZES
CONSUMER TO MAKE
CALLS ON BEHALF OF
USER
18. “BEHIND” THE SCENES
PROVIDER REDIRECTS
USER BACK TO
CONSUMER’S CALLBACK
URL (SPECIFIED IN
ORIGINAL CONSUMER
TO PROVIDER REDIRECT
OR IN APP SETTINGS)
CONSUMER SENDS
ORIGINAL REQUEST
TOKEN, REQUESTING
ACCESS TOKEN FROM
PROVIDER
19. “BEHIND” THE SCENES
PROVIDER SENDS
CONSUMER ACCESS
TOKEN AND ACCESS
TOKEN SECRET, GIVING
CONSUMER
PERMISSION TO MAKE
API CALLS ON BEHALF
OF USER
CONSUMER MAKES API
CALLS FOR USER!
20. CONSUMER CALL AND REDIRECT TO PROVIDER:
REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)
21. CONSUMER CALLBACK ON REDIRECT FROM
PROVIDER:
REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)
22. MAKE SOME API CALLS!
REAL WORLD EXAMPLE
(THERE’S MORE THAN ONE WAY TO DO IT!)
24. OAUTH FOR DESKTOP
PROVIDER ASKS USER
FOR PIN
USER ENTERS PIN IN
CONSUMER DESKTOP
APP
CONSUMER SENDS PIN
WITH REQUEST FOR
ACCESS TOKEN
25. FLAWS OF OAUTH
MULTIPLE STEPS FOR
USER TO AUTHENTICATE
USER HAS TO LEAVE THE
CONSUMER SITE
NOT BUILT AS AN
AUTHENTICATION
PLATFORM - WHEN
PROVIDER IS DOWN, SO
IS OAUTH FOR THAT
PROVIDER