As the use of Web APIs have risen over the years, security attacks on them have become an increasingly common cost of doing business. As an API provider, developer or end user of an application that relies on an API, it is important to understand the implications for how an API is secured.
To that end, one of the most common methods used is OAuth. The OAuth site defines it as “an open protocol that allows for secure authorization in a simple and standard method from web, mobile and desktop applications.” In other words, it is a popular way to control authorized access to Web APIs, especially when that API can return sensitive user data. What this means for applications is that OAuth gives them a way to gain credentials to a user’s information without ever having knowledge of information such as a username and password.
For example, if you authorize Pinterest to mirror your Pinterest posts onto Facebook you are authorizing a third party (Pinterest) to authenticate with your Facebook account on your behalf.
When it automatically makes posts to Facebook, Pinterest is essentially acting as though it's you making those posts. Normally, to login to Facebook and make posts to your account, one needs your Facebook user ID (usually their email) and password. But, if you want Pinterest or any other third party to make Facebook posts on your behalf, it's a bad idea to give them your Facebook login credentials. Instead, when you authorize Pinterest as a third party who can make such posts, Facebook issues a unique token --- known as an OAuth token -- to Pinterest. In this and all examples, the uniqueness of an OAuth token is governed by the intersection of three things; who you are, what the exact third-party app is (the Pinterest.com Web site), and who the token issuer is (Facebook). Once the third party has this unique token that represents your credentials, it will use that token instead of your user ID and password to authenticate with Facebook in order to make posts on your behalf through Facebook's API. Each of these steps taken together is known as an OAuth workflow. OAuth workflows are the most common form of third party authentication for API-based interactions.
OAuth workflows can be a bit of enigma to those who don't understand them, so it helps to see examples of one in action and all the code that makes it happen. This tutorial shows a typical OAuth flow in action, demonstrating how a third party application interacts with ZenDesk REST API using OAuth as the means of authentication. The example third party app is a server side app that runs on Python and leverages the Bottle Framework and the tutorial even tells you how to get Python setup and install the framework. But even though it's specific to a server-side app based on Python connecting to the ZenDesk API, the basic principles apply to any OAuth workflow and are a great starter project for getting smart about OAuth.