OAuth use case

Freshness Warning
This article is over 8 years old. It's possible that the information you read below isn't current.

Alex Barnett rhetorically asks, "OAuth is a big idea, but is it a 'solution looking for a problem to solve'?" and decides that end user problem is real. Here’s an actual use case for the problem and why OAuth solves it.

Deane got tricked by Shelfari when he let them check his Gmail contacts to see if any of them were already members of the service.

Shelfari offered to check his contact list to help him make the social service more useful. All he had to do was put in his GMail user name and password so Shelfari could see his contacts. He took the bait, and Shelfari used his juicy 900 plus member contact list as a way of virally distributing their service. They shot an email out, in Deane’s name, to everybody on his contact list. They made the email sound as if Deane was personally inviting you to join Shelfari.

In Deane’s comments, Dave says "What I don’t understand is what would possess anyone to ever provide their primary email account information to a third party service."

That’s sort of the point behind OAuth. With it, an application can define what activities a third party service can perform, and the end user can decide which of those they’d like to give someone access to.

Google could say that third party services could access your contact list in Gmail, mark items as Spam in Gmail, access your OPML file in Reader, and read your Adsense report data. A third party service named YASN (Yet Another Social Network) could build in OAuth support and ask for access to Gmail contact lists.

You come along and log into YASN, and they tell you they can check your contacts. You decide that sounds nice and you’re sent over to GMail’s site to log in. After logging into GMail, you get asked if you’d like to give YASN access to your contacts. You agree, and YASN gets an auth token they can use to see your contacts, and you end up back on YASN’s site with your contact list.

Later, YASN decides to use that auth token to buy some ads in AdWords—free advertising for them, courtesy of your wallet. But that Auth token doesn’t work for AdWords. Or for reading your email in Gmail. Or for anything else—just for reading your contact list.

You decide later that YASN isn’t for you, and you don’t want them seeing your contacts any more. You can now log into GMail and revoke that auth token they’ve got. Next time they try and get access to your contacts, they’ll be denied—that token isn’t any good now.

One thing about this particular problem of sites emailing your friends on your behalf is that they don’t actually need access to your email account to send email "from" you. That "from" line in your email program isn’t authenticated. You can put anything you want in there and the email will go out. So YASN can still take all your contacts and email them, sticking your name in the From instead of YASN’s.

One way to stop this would be for email providers not to hand over a list of your contact’s email addresses, but to hand over an anonymized hash of the email address instead. If Gmail were to publish in their OAuth spec that they’re going to provide an md5 hash of each email address, then YASN could create hashes of the email address of each of their users, and compare those hashes against the ones that Gmail provides. Now YASN can check for matches in your gmail contact list without having the actual list.

Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.


Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Best Of

  • Lock-in is bad T-Mobile thinks they'll get new Hotspot customers with exclusive content and locked-in devices.
  • The importance of being good Starbucks is pulling CD burning stations from their stores. That says something interesting about their brand.
  • Newly Digital Newly Digital is an experimental writing project. I've asked 11 people to write about their early experiences with computing technology and post their essays on their weblogs. So go read, enjoy, and then contribute. This collection is open to you. Write up your own story, and then let the world know about it.
  • California State Fair The California State Fair lets you buy tickets in advance from their Web site. That's good. But the site is a horror house of usability problems.
  • Google on the desktop Google picks up Picasa, giving them an important foothold on people's PCs.
  • More of the best »

Recently Read

Get More

Subscribe | Archives



Form or function in hotel design (Nov 17)
The hotel has one of the most beautifully designed rooms I've ever stayed in. It's also the worst designed hotel room I've ever stayed in.
Protesting TSA security theater (Nov 9)
Please join me in messing with the TSA's fake security. Maybe we'll save some money and implement useful security instead.
Vintage Phone Numbers (Oct 27)
I have a bunch of old phone numbers hanging in my closet.
But... schools (Oct 28)
This school alarmism needs to stop. For the children.
Travel weight of coins (Aug 26)
My laptop bag was getting heavy, so I emptied it. Found 115 coins from 6 different countries in there. That will do it.
Aereo: a parable (Jun 26)
Here's why people who understand both technology and copyright law think the Supreme Court's Aereo decision defies common sense.
The birth of cubicle hell (Apr 29)
Where do cubicles come from?
Double Opt-In helps you (Apr 2)
A simple reason why double opt-in is a good thing for marketers.

Subscribe to this site's feed.


Voice and communications platforms, including Tropo and Phono. Work.
The Sacramento technology startup community.
Pinewood Freak
Pinewood Derby tips and tricks


Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

AIM or Skype: akalsey



©1999-2015 Adam Kalsey.
Content management by Movable Type.