OAuth (an abbreviation of open authorization) is an open protocol which allows secure authorization of desktop and web applications to access APIs. A commonly used analogy is the valet key to a car, which allows the car to be driven (perhaps a limited distance), but does not give access to the glovebox or trunk. In the same way, OAuth allows users to authorize applications to access resources on their behalf via an access token, rather than by handing over their actual username and password.

Jeff Douglas‘ article last summer, Using OAuth to Authorize External Applications, covers the 1.0a version of the protocol (aka RFC 5849) that has been supported in the Force.com platform since Winter ’10, but the world moves quickly, and Winter ’11 saw the introduction of OAuth 2.0 to Force.com. My article of a few months ago, Getting Started with the Force.com REST API, covered the basics of authorizing API access via OAuth 2.0, but deliberately stayed out of the darker passageways.

Now, Digging Deeper into OAuth 2.0 at Salesforce.com really shines a light on our implementation of the protocol, examining the different flavors of token, walking through the flows in detail and introducing the Identity Service, a RESTful equivalent to the SOAP API’s getUserInfo(). Prepare a cup (or mug, or glass) of your favorite beverage and join my guided tour of OAuth 2.0…