OAuth发生时，我们注册SO帐户与Facebook/谷歌 按钮。

应用程序(SO)将用户重定向到提供者的授权URL。(显示一个网页，询问用户是否希望授予应用程序读取和更新数据的访问权限)。 用户同意授予应用程序。 服务提供者将用户重定向回应用程序(SO)，将授权代码作为参数传递。 SO用代码交换访问权限。

来源:OAuth1服务提供者

Simply put OAuth is a way for applications to gain credentials to your information without directly getting your user login information to some website. For example if you write an application on your own website and want it to use data from a user's facebook account, you can use OAuth to get a token via a callback url and then use that token to make calls to the facebook API to get their use data until the token expires. Websites rely on it because it allows programmers to access their data without the user having to directly disclose their information and spread their credentials around online but still provide a level of protection to the data. Will it become the de facto method of authorization? Perhaps, it's been gaining a lot of support recently from Twitter, Facebook, and the likes where other programmers want to build applications around user data.

OAuth(开放授权)是访问授权/授权协议的开放标准。它是互联网用户授权网站或应用程序访问他们在其他网站上的信息而不提供密码的一种方式。它不处理身份验证。

Or

OAuth 2.0是一种协议，允许用户将其在一个站点上的资源的有限访问权限授予另一个站点，而无需暴露他们的凭据。

Analogy 1: Many luxury cars today come with a valet key. It is a special key you give the parking attendant and unlike your regular key, will not allow the car to drive more than a mile or two. Some valet keys will not open the trunk, while others will block access to your onboard cell phone address book. Regardless of what restrictions the valet key imposes, the idea is very clever. You give someone limited access to your car with a special key, while using your regular key to unlock everything. src from auth0 Analogy 2: Assume, we want to fill an application form for a bank account. Here Oauth works as, instead of filling the form by applicant, bank can fill the form using Adhaar or passport. Here the following three entities are involved: Applicant i.e. Owner Bank Account is OAuth Client, they need information Adhaar/Passport ID is OAuth Provider

OAuth主要是关于委托授权(选择可以为您进行授权的人)。请注意，身份验证和授权是不同的事情。OAuth是授权(访问控制)，如果还想实现身份验证(ID验证)，可以在OAuth之上使用OpenID协议。

All big companies like Facebook, Google, Github,... use this kind of authentication/authorization nowadays. For example, I just signed in on this website using my Google account, this means Stackoverflow doesn't know my password, it receives the allowance from Google where my password (hashed obviously) is saved. This gives a lot of benefits, one of them is; In the near future you won't have to make several accounts on every website. One website (which you trust most) can be used to login to all other websites. So you'll only have to remember one password.

究竟什么是OAuth(开放授权)?

OAuth允许通知资源提供者(例如Facebook)，资源所有者(例如您)授予第三方(例如Facebook应用程序)访问他们的信息(例如您的朋友列表)的权限。

如果你看清楚了，我就能理解你的困惑了。让我们举一个具体的例子:加入另一个社交网络!

假设您有一个现有的Gmail帐户。你决定加入领英。手动添加你所有的朋友是很烦人的，而且容易出错。你可能中途就厌倦了，或者在邀请函的电子邮件地址中插入了错别字。所以你可能会忍不住不去创建一个账户。

面对这种情况，LinkedIn™有一个好主意，写了一个程序，自动添加你的朋友名单，因为电脑在无聊和容易出错的任务上要有效率得多。既然现在加入网络是如此容易，你不可能拒绝这样的提议，对吧?

如果没有API来交换这个联系人列表，你将不得不把你的Gmail帐户的用户名和密码交给领英，从而给了他们太多的权力。

这就是OAuth的用武之地。如果您的GMail支持OAuth协议，那么LinkedIn可以要求您授权他们访问您的GMail联系人列表。

OAuth允许:

Different access levels: read-only VS read-write. This allows you to grant access to your user list or bi-directional access to automatically synchronize your new LinkedIn friends to your Gmail contacts. Access granularity: you can decide to grant access to only your contact information (username, e-mail, date of birth, etc.) or to your entire list of friends, calendar and whatnot. It allows you to manage access from the resource provider's application. If the third-party application does not provide a mechanism for canceling access, you would be stuck with them having access to your information. With OAuth, there is a provision for revoking access at any time.

在不久的将来，它会成为事实上的标准吗?

虽然OAuth是向前迈出的重要一步，但如果人们不正确使用它，它就不能解决问题。例如，如果资源提供者一次只对所有资源提供一个读写访问级别，而不提供管理访问的机制，那么就没有指向它的点。换句话说，OAuth是一个提供授权功能而不仅仅是身份验证的框架。

在实践中，它非常符合社会网络模型。对于那些希望允许第三方“插件”的社交网络来说，它尤其受欢迎。在这个领域中，访问资源本身是必要的，同时也是不可靠的(例如，您对这些应用程序几乎或根本没有质量控制)。

我在野外还没见过这么多其他用途。我的意思是，我不知道有哪家在线金融咨询公司会自动访问你的银行记录，尽管技术上可以这样使用。

OAuth发生时，我们注册SO帐户与Facebook/谷歌 按钮。

应用程序(SO)将用户重定向到提供者的授权URL。(显示一个网页，询问用户是否希望授予应用程序读取和更新数据的访问权限)。 用户同意授予应用程序。 服务提供者将用户重定向回应用程序(SO)，将授权代码作为参数传递。 SO用代码交换访问权限。

来源:OAuth1服务提供者