Authorization Patterns – Approval and OAuth

As the web evolves, design patterns for authorization are emerging. When implementing authorization, there are two fundamental needs to address: interaction between people, and integration between systems.

The first case, interaction between people, is familiar to anyone using social networking sites like Facebook. When someone adds you as a friend, Facebook sends you a notification prompting you to confirm or deny the request. If you approve the request, that person will be allowed to view your profile.

In effect, a “contract” is established between the two people. Because Facebook knows the identity of each person, restrictions on that contract can be put in place. Privacy settings are a classic example of such a restriction. For example, you can limit who can view your contact information and phone numbers.

The second case, integration between systems, is less familiar but is getting increased attention as data portability becomes necessary. In this scenario, the authorization requirements typically involve only one person who has separate accounts on separate systems.

For example, I use Google Calendar to keep track of my schedule. When I accept event invitations on Facebook, it would be useful to have those events added to my calendar. I would like to allow Facebook to modify my calendar, but I don’t want to allow it access to my email (which is why I won’t give Facebook my Google password).

OAuth specifies a protocol for establishing system-to-system authorization. It allows you to approve access to your data on one system to another system acting on your behalf.

At the core, OAuth defines a mechanism for exchanging access tokens, which are issued during authorization. It is up to the system to implement and enforce different access rights, such as read-only vs. read-write privileges, or access to one set of data but not another.

In the above example, Facebook would be acting on my behalf, automatically adding events to my calendar so that I don’t have to add them manually. Google would recognize that the token used allows access to my calendar, but would deny any attempts to access my mail.


Lonna Hanson
August 8, 2008 at 1:55 PM

I found this very interesting, Jared. I learned a little bit about Facebook. Good Job!

Post a comment