OAuth, or, The Elaborate Ceremony of Not Giving People Your Password

Suppose you have a house, and you hire a cleaning service. The cleaning service needs to get into your house to clean it. This is a simple problem with a simple solution: you give them a copy of your key.

And immediately you realize this is insane? You've given a stranger — well, a company full of strangers — an unrestricted, permanent copy of the key to your home. They can come whenever they want. They can copy the key and give it to other people. If someone robs the cleaning company, they now have keys to every house the company services. And if you fire the cleaning company, they still have your key, and you have to change your locks, which means getting new keys to every other person who has a copy, which if you think about it for even a few seconds is a nightmare.

So you don't do that. You set up a system.

The system works like this: the cleaning company goes to your building's front desk. The front desk calls you and says "hey, CleanCo says they'd like to come in and clean your apartment — should I let them in?" You say sure. The front desk gives CleanCo a temporary badge that works on your door, but only for two hours, and only today. After two hours the badge stops working and they have to ask again.

This is much better. The cleaning company never has your actual key. You can revoke access at any time by telling the front desk to stop issuing badges. The badge is limited in scope — it opens your apartment but not your storage unit — and it expires. If someone steals the badge, it stops working in two hours anyway. You have solved the problem.

Except now you have a front desk, and the front desk is doing a lot of work, and there are some new problems.

For instance: the front desk gives the badge to the cleaning company. But how? Does the cleaning company walk up and the front desk hands it to them? What if someone is standing behind the cleaning company in line and grabs the badge out of their hand? What if someone is watching through a window and writes down the badge number?

There was a version of this system — let's call it the "just toss them the badge in the lobby" version — where the front desk would basically hand the badge to the cleaning company across a crowded room, and if you were paying attention you could grab it. This version was very popular for a while. It was simple. It was easy to set up. It worked fine, probably?

So people got more clever. Instead of handing over the badge directly, the front desk gives the cleaning company a claim ticket. A little slip of paper that says "present this at window B to receive your badge." The cleaning company takes the claim ticket to window B, shows their company ID, and then gets the badge. The idea is that even if someone intercepts the claim ticket, they can't use it without also having the cleaning company's ID.

This is better. But — and this is the thing about security, there is always a "but" — what if the cleaning company is using a mobile phone to manage all of this? And the claim ticket gets routed through the phone's operating system, and some other app on the phone sees the claim ticket? The claim ticket is not the badge, but it is the thing that gets you the badge, and it would be really nice if we could make sure the person redeeming the claim ticket is the same person who asked for it.

So we add another thing. Before the cleaning company goes to the front desk, they write a secret word on a piece of paper and lock it in a box. They give the front desk a scrambled version of the secret word — a hash of it, in the jargon. Then, when they come back with the claim ticket to pick up the badge, they also open the box and show the original secret word. The front desk scrambles it and checks: does this match the scrambled version you gave me earlier? If yes, here's your badge. If no, go away.

This is called Proof Key for Code Exchange, and it is pronounced "pixy," which is either charming or mildly humiliating depending on your temperament.

So now you have: a front desk, a claim ticket system, a secret-word-in-a-box verification protocol, and temporary badges with expiration times and scope limitations. You have, in the course of solving "how does the cleaning company get into my apartment," built a small bureaucracy.

Oh, except for one more thing. What if someone tricks you?

Like, what if you get a call from the front desk that says "CleanCo would like access to your apartment," and you say "sure," but it's not actually CleanCo? It's some random person who registered a company called "CleanCo Prime" or "CleanCo Official" and they look legitimate enough that you click — sorry, that you say "yes" — without really reading the fine print? And the fine print says they want access not just to your apartment but to your apartment, your storage unit, your mailbox, your financial records, and the ability to send mail on your behalf?

This doesn't break any part of the system. The front desk works perfectly. The claim tickets are pristine. The secret words check out. The system is doing exactly what it was designed to do — which is ask you if you want to grant access and then grant the access you approved. The problem is that you approved the wrong thing, because the person asking was very good at seeming like someone you should say yes to.

So anyway, that's basically how you log into Spotify with your Google account.

The formal name for all of this is OAuth 2.0, and it is defined in RFC 6749, published in October 2012 by the Internet Engineering Task Force. The abstract reads: