OAuth: How Does ‘Login With Facebook/Google’ Work?
OAuth is a protocol that allows third-party websites to access and retrieve select pieces of information from larger websites in order to authenticate users. This process is safe and secure, and helps to protect confidential information.
It is absolutely safe to log in to other websites using your Facebook or Google account. Big tech companies (e.g. Google, Facebook etc.) use a standard called OAuth, which allows other websites to access and retrieve select pieces of information from these big websites in order to authenticate users.
What is OAuth?
OAuth is a protocol that helps ‘big’ websites (websites that have a very large number of users, such as Google, Facebook etc.) grant access to its users’ information to third-party websites or applications without sharing the users’ passwords and other private, sensitive details.
A hypothetical situation where OAuth fits perfectly
Suppose you want to make some quick edits to an image online. You go to a website, say, Canva, which helps you edit your image directly in your web browser window. However, there’s a catch; in order to use its services, Canva requires you to sign up.
Since the image only requires 5-6 minutes of quick editing, you might not feel like spending even more time filling out a sign-up form from scratch. Or you might just be too bored to fill out a form. I know plenty of people who frown at the mere sight of a sign-up page!
To be honest, I think it’s fairly reasonable to get upset. In the modern, fast-paced world, where the attention span of an Internet user is less than a minute, asking a user who intends to spend only a few minutes on your website to sign up and create an account from scratch is actually asking a lot! The user might just leave such a ‘demanding’ website and find another that doesn’t require them to sign up for anything.
How OAuth saves you from hassles of Signing Up?
Most third-party websites (that require you to have an account) understand the reluctance of users to create new accounts. In a bid to ensure that they do not lose out on such ‘reluctant’ users, these third-party websites implement the OAuth standard in their system.
An OAuth-enabled third-party website (e.g., Canva) typically gives you 2 options: either sign up the ‘conventional way’, i.e., by filling out an online form, or sign up using Facebook or Google.
Canva, like virtually all websites on the Internet, knows that Facebook and Google have a mammoth user base (i.e., the number of users of their services runs in the billions), and it bets on the fact that you might have an account on either/both of those websites (Google/Facebook).
Therefore, instead of asking a new user to fill out a sign-up form manually, which could potentially take 10 minutes or more, depending on the speed and ‘annoyance level’ of the user, Canva simply asks you to sign up using your Google/Facebook account.
How does OAuth work?
This is basically how the OAuth standard works:
Suppose, you (the user) need to sign up/create an account on a third-party website/application (e.g., Canva).
First, you click on the “Sign up with Facebook’ button.
It redirects you to Facebook.com and checks whether you are already logged in to Facebook. If you’re not, then it prompts you to enter your username and password to access your account. Once logged in, it shows you a small dialog box that describes the kind and extent of information that you’ll be sharing with the third-party website. If you are okay with sharing the required info with that third-party website, you press the ‘Continue’ button.
If you’re not okay with the info that’s going to be shared with the third-party website, you can always edit your preferences.
Now, Facebook redirects you to the concerned third-party website with an authentication code, which is basically Facebook’s way of telling the website that ‘yes, this person holds a valid account with me’.
The website now shows Facebook the unique code it acquired when it first registered itself with Facebook as a legitimate website/application. Facebook uses that code to verify the identity of the website, and in return, grants an access token to the website.
It is this token that the website uses to gain restricted/limited access to some of your account information, usually consisting of your name, email address, gender and so on.
This is, in essence, how OAuth helps big websites like Google or Facebook grant limited access to users’ select pieces of information to third-party applications. To read more about the entire process, check out the official pages of Facebook and Google that discuss this system in great detail.