OAuth for Spring Security
provides support for enabling OAuth
on the Spring platform
. Be sure to check out the tutorial
that will illustrate how OAuth works.
OAuth can be explained by describing the problem it is trying to solve. Let's say you're a sizeable social networking site
and you'd like to offer a feature to your users to allow them to search their webmail contacts
for import into their social network. The problem is, you (the "consumer") need access to a resource that is protected by a another site (a.k.a. "service provider"). How do you go about doing that?.
Option 1: Just ask the user for his/her credentials and promise that you won't store them or do anything bad with them. Well, it works, I suppose, but this isn't a great general-purpose practice for online applications. And it's not hard to see why. Sure, you might be trustworthy, but there are plenty of other sites who are not. And what about the service provider? How would you feel about your users giving out their credentials to other sites that want access to the resources you protect?
Option 2: Use OAuth. OAuth is a protocol that was defined to address this problem. Continuing the above example, let's say that you've established a trust with the webmail service providers. You share a "secret" (which in practical terms is a passphrase or a public key or something) that you can use to gain access to the webmail contacts—provided, of course, that the user approves it. In order to gain this approval, all you have to do is redirect the user to the login page of the webmail service provider and have the user tell the service provider that it's okay that you access his/her contacts.
OAuth is a protocol standard that can be used to enable this mechanism.