OAuth 2.0

Parent Previous Next

multiFEED uses a couple of external tools that require a user account, such as the Google and bitly URL shortening services. This brings up the question of how to authenticate your account with those services without compromising your login credentials. Since this a common requirement, the Internet community has come up with a protocol called OAuth 2.0 (there is an OAuth 1.0, but it is rarely used). With OAuth an application such as multiFEED can ask a service for an "access token", or key, that allows it to access the service on your behalf, but the authentication with that service is not done within the application, but instead by sending you to a login page using a safe browser. Upon successful login the token is sent back to the application automatically. This way the application never knows what credentials you used to log in to the service, it is just given the token to use when making calls to use the service.


This token cannot be used to log in to your account with the service provider, it is only good for making specific types of service requests, such as to shorten a URL. This method has proven to be very secure and all the major companies such as Google, Microsoft, Facebook, Twitter, LinkedIn, etc., use OAuth to allow other applications access to to their services in a safe, controlled way. If you are reading your GMail messages on your BlackBerry device using the system email application then you are using a Google OAuth token to do it.


Access tokens can be "permanent" (at least until they are explicitly revoked), or they can expire after a certain time period. For instance, bitly tokens are permanent, whereas Google access tokens are only good for one hour from issue. Most services that provide fairly short-lived access tokens also supply a longer-lived "refresh token" that can be used to request a new access token without needing the user to authenticate again. Google refresh tokens, as an example, last up to one year, but are automatically revoked if they are not used for six months. A Google refresh token may also be revoked if the user's account exceeds 25 registered applications. When the user tries to register a 26th application for a refresh token, the oldest one is automatically revoked without any warning or notice. Once a refresh token has expired or been revoked the user must log in and authenticate again.


Smaller companies with single-product offerings, such as bitly, supply a single access token that works for all their services, but companies like Google with many products an application might want to use require the application to specify the "scope" when requesting a token. The returned token is good only for the scope specified when it was requested. This way, when multiFEED asks Google for a token that will allow it to shorten URLs, that same token can't be used to read GMail, access the user's Google Drive, or look at the User's calendar. The scope of a Google access token can cover more than one service with a single authentication, but the Google OAuth login page clearly indicates the scope of the request.


multiFEED remembers access and refresh tokens when it is shut down, so the user should only need to authenticate each service once. If the token is revoked, however, either automatically like Google, or explicitly by the user, then the next time the service is used or multiFEED is started the user will be asked to authenticate again.


The safety inherent in the OAuth 2.0 system relies on the fact that authentication is done in a known-safe environment, that is to say, a web browser that won't be grabbing your login credentials when you enter them and send them off to some nefarious app creator. If any application presents the OAuth login page on a built-in browser you run the risk of your credentials being stolen. For this reason, by default multiFEED launches the BlackBerry 10 Browser when it needs you to authenticate an OAuth access token. The only problem with this is that once you have finished authenticating you must manually close the browser page and the browser, and return to multiFEED. If you trust arsMOBILIS not to steal your credentials (you can), you can configure multiFEED to use a built-in browser for authentication instead, which allows the application to automatically close the authentication browser and return you to multiFEED when you are done. As stated though, the default is for multiFEED to use the BlackBerry 10 Browser for authentication, and you can leave it this way for maximum safety.