Wednesday, May 9, 2012

OAuth Implementation in WCS

What is OAuth?
OAuth is an open standard for authorization. It allows users to share their private resources
(e.g. photos, videos, contact lists) stored on one site with another site without having to hand out their credentials,
typically supplying username and password tokens instead. Each token grants access to a specific site
(e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours).
This allows a user to grant a third party site access to their information stored with another service provider,
without sharing their access permissions or the full extent of their data.

Why OAuth?
The OAuth protocol allows third-party applications to identify and authenticate themselves with a content provider.

Sample business scenarions?
1)You have purchased a product from Walmart online .and adding comments there
These comments will can be shared in the Facebook/twitter.

2)You have placed an online order for eBook "The Da Vinci Code" .You need this ebook on Your eReader application
Here the fullfillment details will be send to the concerned vendor and vendor will do order fullfillment for you

You have added some game application on your Facebook
The game app will ask you to share some public informtion from Facebook

High Business demands.
Share only the subset of the data with third-party applications
The end user has total control over the data
Secured data is not shared across third-party applications .
Limited access to secured data.
High securiy.
Very suitable on Web based application
Highly demanding the social commerce
No need to share the Username and password to third-party applications
etc etc

There are manly 3 actors in this game

1.User- The end user (That is you :))
2.Vendor- Service Provider .Who actually holds your secure data such us credit card,personal info, photos etc.(eg: facebook)
3 Client- Consumer.Any Third party applications such as ecoomerce site, game applications etc

Game Rules
1. User  purchased items from the client(Third party applications)
2. User wants to use the data which is stored in the Vendor  side
3. CLient sends request to the Vendor to provde the secure data(limited access)

NB: Here user should register in both Client side and Vendor side

Action : 
User logged into Client side and make a link to the Vendor site
Vendor will do the authentcaion of the user and ask permission to the user to provide the temporary key to the client

User approves the permission(Client Authorization )

Vendor send a temporary key(life time is 10-20 mins) to Client

Client receives the temporary key and request a permanant key to the vendor with Client secret

Vendor validate the temporary key, client secreat then provide valid key with limited accees to the Client(valat key)

Client receives this valet key and saved in client location(DB,LDAP, etc)

CLient make a link with vendor and request for information(limited)

There will be mechanism to revoke the valet key as per the neeed