OAuth

[3][4] This mechanism is used by companies such as Amazon,[5] Google, Meta Platforms, Microsoft, and X (formerly Twitter) to permit users to share information about their accounts with third-party applications or websites.

Designed specifically to work with Hypertext Transfer Protocol (HTTP), OAuth essentially allows access tokens to be issued to third-party clients by an authorization server, with the approval of the resource owner.

Meanwhile, Ma.gnolia needed a solution to allow its members with OpenIDs to authorize Mac OS X Dashboard widgets to access their service.

DeWitt Clinton from Google learned of the OAuth project, and expressed his interest in supporting the effort.

The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.

[8] The OAuth 2.0 framework was published considering additional use cases and extensibility requirements gathered from the wider IETF community.

[13] Among the threats outlined is one called "Open Redirector"; in early 2014, a variant of this was described under the name "Covert Redirect" by Wang Jing.

[18] This prompted the creation of a new best current practice internet draft that sets out to define a new security standard for OAuth 2.0.

This makes it very easy to write and use HTTP requests supporting the OAuth 2.0 protocol in LibreOffice macros.

[26] The following diagrams highlight the differences between using OpenID (specifically designed as an authentication protocol) and OAuth for authorization.

However, because OAuth was not designed with this use case in mind, making this assumption can lead to major security flaws.

Lastly, XACML can work transparently across multiple stacks (APIs, web SSO, ESBs, home-grown apps, databases...).

Eran Hammer resigned from his role of lead author for the OAuth 2.0 project, withdrew from the IETF working group, and removed his name from the specification in July 2012.

"What is now offered is a blueprint for an authorization protocol", he noted, "that is the enterprise way", providing a "whole new frontier to sell consulting services and integration solutions".

Numerous items were left unspecified or unlimited in the specification because "as has been the nature of this working group, no issue is too small to get stuck on or leave open for each implementation to decide.

[2] David Harris, author of the email client Pegasus Mail, has criticised OAuth 2.0 as "an absolute dog's breakfast", requiring developers to write custom modules specific to each service (Gmail, Microsoft Mail services, etc.

Authorization flow without Oauth.
A hypothetical authorization flow where login information is shared with a third-party application. This poses many security risks which can be prevented by the use of OAuth authorization flows.
A high-level overview of Oauth 2.0 authorization flow.
A high-level overview of Oauth 2.0 flow. The resource owner credentials are used only on the authorization server, but not on the client (e.g. the third-party app).