How to Add 3rd Party Functionality to Your App Using OAuth
Today’s web is interconnected like never before. In the Web 1.0 world, web sites existed in silos; in Web 2.0, some sites provided global service APIs like search, maps, inventory lookup, etc. Now that we are in the days of ‘social web’, many of our favorite web sites provide developer APIs to not only access general data, but also their protected data on behalf of your common users. When these APIs are used appropriately, end-users are delighted with a seamless transition across many web applications, taking their data, friends, photos, etc with them without struggle or worry.
OAuth is a popular standard for allowing users to grant your application permissions to access their data on another service. OAuth comes in two flavors: 1.0a and the still-evolving 2.0. 1.0a is an older, more complicated standard, requiring browser-based sign-in and encryption; its biggest users are services like Flickr and Twitter. OAuth 2.0 allows for a greater variety of workflows, and is used by services like Google and Facebook.
For some services, you may need to provide some additional details about your service like your industry or which aspects of the service you want to use.
Once everything is set-up, you’ll get keys that are used by the service to identify your app. These are used during the authentication process to restrict permissions, track usage, or to allow the user to revoke your app’s access. You may also have to specify a URL for the service to redirect to from the log-in page after the user signs in. If you’re building a web app, this will be an important callback url (it’s how the user gets back to your site). If you have a native app, you’ll want to intercept this url and do whatever is appropriate. Some APIs will restrict your access based on usage (total number of API calls, rate of calls, number of users, etc), and others might charge for usage.
In your app, you can use OAuth tokens to access the 3rd-party service or for login to your own app. Obtaining the access token is a matter of showing a specialized login page for the service to your user, them agreeing to let your app access their information by logging in, and then going back to your app. If the login is successfully authenticated with the service, that redirect will be called and you’ll be given the access token; otherwise, the redirect will have an error code. This token is what you’ll pass to the service to access the various API endpoints. Some services, like Facebook on iOS, provide SDK libraries that handle almost everything for you, making the whole OAuth process quite simple. For iOS, if your service doesn’t provide a handy SDK, Google’s gtm-oauth (gtm-oauth2 for OAuth 2.0) libraries are quite useful.
With a Backend as a Service (BaaS), you can integrate new 3rd Party services in with existing applications, without needing a lot of work on the client. To see how you might integrate an OAuth 2.0 service like Instagram with an iOS app using Kinvey, check out this guide: http://docs.kinvey.com/ios-oauth-guide.html
Starting a new mobile project? Check out our mBaaS Savings Calculator for a price quote.