Imagine how cool it would be not to have to create a username, verify your email for every website you create an account in.
Image how cool it would be not to have to create passwords regularly and try to recall which is which for every website you visit and create an account in.
The internet is a massive world that keeps growing day after day with different tools rising up daily.
As an Internet user who wants all the assistance you can get in your career, you are going to be using (or trying out) different tools every now and then.
This means you are going to be creating an account for these different tools, having to create a unique username with a password and then verify your email.
Well, thanks to Google and other tools which help you save your passwords so you don't worry about recalling them. And if Google or the other tools didn't save this password, you will have to go through the stress of resetting your password.
Now, this is for you who is a user of an app, what about you who creates the app, how is this stressful for you.
For Developers
Imagine how cool it would be not to have routes for verifying email, resetting passwords. Or not worry about encrypting users' passwords when they sign up and comparing when they log in.
Imagine how cool it would be not to worry about creating tokens for every user with JSONWebToken or any other. Or not worry about sending emails for email verification, and then for password reset (that should cost a lot though).
How can we achieve all these cool things
I am sure you are familiar with the Sign in with Google button on different web apps like this one (dev). Or you've probably seen that of Facebook, Twitter, LinkedIn, GitHub, Apple, etc.
There you have it, that's the dude that makes all those cool stuff. It simply makes life easy for users as well as developers.
With it, users won't worry about creating an account with an email, username, and password, and then upload a profile picture on your app and every other website they visit. And you the developer won't worry about handling those requests.
The user creates an account with a website and uses his/her public info on that website for every other website he/she uses or would use.
Cool right, for me I'd rather click one or two buttons to get signed up than writing (and verifying) my email, constructing a unique username and a strong password.
Now let's look out how these cool things work and what powers them.
Offer just for you:
Have you wondered what I use for my blog banners/photo designs? Well glad to tell you it's Canva. Whether you are a graphics designer or a novice Canva is for you.
With Canva you get to select from thousands of organized templates that will meet your specific needs. Be it a logo, presentations, Social Media Covers, Social Media Posts, Blog banners, resumes, posters, flyers, etc.
How it works
Well all that is powered by OAuth, it is an open standard protocol for authorization. It is the way your users grant you permission to access their information from another website they already are a member of.
With OAuth, a user can create one account on a website and link his/her information to every other website. Trust me when I say, that is the best thing a user will ever want to encounter.
That last paragraph made me sound like the user is going to have a lot of work to do, but no; that's not the case. Here is how OAuth works.
How OAuth works
There are different companies (websites you may say) that offer OAuth, but some of the most popular are Google, Facebook, Twitter, Apple, GitHub, LinkedIn, Discord (wait is discord popular? hmm), etc.
Though they are different companies with different ways of handling their authorization, the principle is the same
As a Developer
- Create an OAuth app with the company (Facebook or Google, etc).
- Use your app's id and app's secret to get a token for a user.
- Use that token to access the company's API which contains the user's information.
Notice the italics, OAuth app ==> token ==> API. That's the summary for all OAuth, it is what you should be looking for in any of those companies.
I have a complete post on my blog where I explained how OAuth works, showed some use cases (using GitHub) with source code linked on my blog. Go check it out.
As a User
I am assuming you (as a user) are already on the website you intend to create an account with.
- Click the Sign in with Google button on the website.
- Redirected to Google accounts where you authorize the app by clicking a button.
- Redirected back to the initial website and boom account created successfully.
As a user, you basically just clicked two buttons and you are all set up. When logging in, you simply click one button (i.e Continue with Google).
Pros and Cons of using OAuth in your app
Pros
It is secure. Companies like Google don't play with their users' privacy. It now boils down to you the developer to make your authentication secure. Here is how.
It is easier and faster. Users don't have to go through the stress of creating a password, uploading a profile picture, verifying their email, or resetting their passwords when forgotten. Worst case scenario is when a user forgets his/her username and isn't sure which email he/she used.
You can act on behalf of a user. Apart from getting a user's public info, through some of these companies (with OAuth) APIs, you can do things on behalf of the user. For example, with your app, you can create a GitHub repository on behalf of your user. It is done with scopes. See details here
Cons
There may be limits. Companies like Facebook, Twitter, and Discord set limits to how many requests you can make to their API per hour. For example, Facebook insists on a 200 * number of users request per hour. So get acquainted with each documentation to understand how it works.
Solution: You should minimize the number of requests you make to the API.Tokens don't last forever. Recall that tokens are what we use to access users' information. Well, they don't last forever. They can expire, a long-lived token of Facebook expires after 60 days. That of Discord is not that long, meanwhile, that of GitHub doesn't seem to expire.
Solution: These companies like Facebook, Google, Discord give you a refresh token which you can use to refresh the token of a user when it expires. Cool right.
Expiring a token should not new for a developer who has been working with JSONWebToken. The token expires for security reasons, as a developer you should know how to tackle it and most importantly when to.
Conclusion
OAuth is the next big thing in this industry, companies like Google have so advanced their OAuth such that when a user revisits a website they already signed up with Google with, it automatically logs them in.
The rate at which developers have been working with OAuth has massively increased, you can tell if you visit a lot of sites.
Alright, that is it for now, I hope to hear back from you about how it increased your app's users or probably how OAuth has been a great help to you (if you have been using it).
Also, don't forget to give a heart or/and unicorn to this post, and sharing it is just a click away to help someone else. If you'd love to see more of this, support me by becoming a Patron. Or simply buying me a coffee.
Top comments (2)
There's this reason why Ben Awad uses social media OAuth for DogeHouse instead of making his own account system: it's that he can outsource a lot of things like security, abuse prevention, and things. He doesn't need to work on MFA/2fa etc, he just need to use an OAuth provider that have those stuff.
Yeah, exactly. We've gone past that stage. One major reason I adopted OAuth is because of its convenience for developers and users.