OAuth

OAuth utilises a user's account on another platform to authenticate them. Instead of requiring a user to enter an email and password, the system redirects the user to an OAuth provider. The user has to identify themselves on that platform. When the user logs in, they are redirected back to the original system with an access token.

This token can be utilised by the system to gain information about the user, such as their email address, their avatar, etc.

Many websites have implemented OAuth. To create an account on Instagram, you can use your Facebook account. To create an account on a developer-focused tool like Branch, you can use GitHub, Gitlab, or Bitbucket.

Strengths

Allowing users to authenticate using OAuth can be a good user experience. Instead of having to type in a username and password, all the user has to do is press a button. The system will automatically authenticate the user if they are logged in on the provider platform.

OAuth authentication is especially useful for users suffering from password fatigue. OAuth might improve security because users are less likely to reuse passwords across applications.

Another benefit of OAuth is the outsourcing of security. If a system uses OAuth, it no longer needs to worry about storing passwords and resetting passwords for users. The OAuth provider handles all this.

Weaknesses

The biggest drawback of OAuth is that it can be complicated to implement, compared to the username/password method.

Another weakness is that the system is dependent on the OAuth providers. If the provider has server issues, it will also affect users in your application who use that provider.

Lastly, some users might have privacy concerns. OAuth allows companies to share data about a user across platforms. When a user authorises a provider, they can usually see what data they are granting access too. Some users might still find it a privacy issue.

When to use it

If your system offers multiple ways for users to authenticate, then OAuth would be a suitable choice for one of the options. It's a good option for users who don't want to create a new username/password combination for every app they use.

Some markets have a big company that could provide an OAuth service. A good example is the market for developer tools where almost any potential user will have either a GitHub, Gitlab, or Bitbucket account.

If the system needs API access to the provider anyways, it's a good idea to make users authenticate with OAuth through that provider. That way, they don't have to authorise the app later on.

When not to use it

Implementing OAuth creates a dependency on 3rd party companies. If the app is mission-critical and you want to be responsible for all pieces of the application, then it might be better to use alternative authentication methods.

Implementing OAuth can be timely and complicated, so if time is of the essence, then more straightforward authentication methods might be worth considering.

Authentication scaffolding

Starter kits for Laravel, Vue and React.