OAuth Primer: Part 2

Following up on my previous post on OAuth. Let’s imagine a hypothetical SmartVault integration. Let’s say we have an expense tracking system, Sprocket’s Tracker. Sprocket’s Tracker lets me fill out expense reports online.

When I’ve completed an expense report, I can submit it for approval and payment. Once my expense report is approved and entry is automatically entered in QuickBooks.

Now, in an ideal world the supporting documentation (receipts, etc.) would also be attached to SmartVault and associated with that transaction.

Without OAuth, Sprocket’s Tracker somehow has to have my SmartVault username & password to attach these documents into SmartVault.

Well that sucks. I have to put my username & password into Sprocket’s and whenever I change my username & password I have to update it.

We can streamline this quite a bit by employing OAuth, particularly using what is called an autonomous flow.

Here’s how. Sprocket’s Tracker and SmartVault work together. They establish what is known as a trust relationship.

Using this trust relationship, Sprocket’s Tracker service can talk to SmartVault’s service and SmartVault can be sure Sprocket’s Tracker is doing the talking.

Now, we can employ OAuth in a couple of ways to help us. Let’s say you sign up for Sprocket’s Tracker service and during that sign up process Sprocket’s automatically creates you a SmartVault account.

Well it can do this because of this trust relationship. During that process, Sprocket’s grants itself the ability to automatically log into your new SmartVault account and impersonate you.

Now I can just start using Sprocket’s service, when I import a transaction into QuickBooks the documents are automatically attached.
My username & password is never asked for.

It gets better. Let’s say I’ve used Sprocket’s for a while and I’ve decided I don’t like it too much, but, I’m happy with SmartVault.
I simply log into SmartVault and deauthorize Sprocket’s. Sprocket’s is no longer allowed to impersonate me. That’s it.

If Sprocket’s had my username & password they could still integrate — now they can’t. In the old way of doing things, I should change my password to be safe. No need now.

Imagine I had 12 employees using this integration — ask them all to change their passwords?!?

Time passes and I find a new vendor for expense tracking — the vendor even integrates with SmartVault. Now I just log into SmartVault and authorize my new vendor to impersonate me.

Life is good…. I even remember it’s the end of the quarter so I should change my password in SmartVault. Guess what? The integration with my new expense tracking system doesn’t break — it just keeps working.

Just a little taste of what OAuth can bring to the table.