Before diving into actual development of code let us revise what OAuth is and what is the difference between version 1.0 and 2.0.
OAuth stands for Open Authorization and was released in 2007. Since it’s release, it has become a mainstay in web services and social sites arena. Led by giants such as Facebook and Twitter, adoption of open authorization has spread like a fire. At its core OAuth is based on simplicity to the users but nightmare for the developers. It allows users to authenticate 3rd party apps without disclosing their passwords. Users can always revoke the authentication. Thus any application can invoke other application’s API which is mostly RESTful web service returning XML or JSON. But in order to make invocation successful, the calling application must have been registered with the service it is calling and send the required tokens and digital signature (version 1.0) with the request.
Debate over OAuth 2.0
Version 2.0 specification does not require digital signature at all. This has made the life of developers much easier but has compromised security (in my view) and caused a huge controversy. It does require SSL to secure tokens being sent over network though. Personally I prefer 1.0 for it’s security.
Now let’s start developing for version 2.0.
Initial steps and house keeping
As mentioned earlier, we must register with the service we intend to invoke. Facebook uses version 2.0 while Twitter and LinkedIn are based on version 1.0. Let us start with Facebook and register at https://developers.facebook.com/apps.
Once the app is registered with Facebook, Facebook creates unique App Id/Consumer Key and Consumer Secret Key. We need to save the consumer key and consumer secret key somewhere along with some other information such as URLs to authorize, authenticate and make API calls. I am going to create a custom object to store this important information. Custom object will be called OAuth_Service__c with following fields and corresponding values:
Service Name : Facebook,
AccessTokenUrl__c Text(255) : https://graph.facebook.com/oauth/access_token, //provided by facebook
AuthUrl__c Text(255), //Used for version 1.0
CallBackURL__c Text(255): https://c.na2.visual.force.com/apex/Authservices, //VF page.
ConsumerKey__c Text(255): 981657716937450, //Fictitious but provided by Facebook in real life
ConsumerSecretKey__c Text(255): bb756kkk674s7709d50998c7, //Fictitious but provided by Facebook in real life
ReqTokenUrl__c Text(255) : https://www.facebook.com/dialog/oauth, //provided by facebook
OAuth_Version__c Text(10) : 2.0
We will discuss the use of call back URL and visual force page in details while looking into the authentication flow in the next blog.
If interested follow my twits for alerts.
Twitter: @gaikwad_arun
Salesforce With Force 
please share the continuity of the topic
Abhi,
How are you planning to use oAuth? Or it is just an academic interest?
-Arun
Its mainly for academic interest ..Please share the rest of the topic..
please share…I am waiting…
Hi,
Thanks For Sharing Such a Great Post,,,,,
I would like to learn how to use the OAuth with salesforce and other apps,,
I Followed your Instructions and created a Test App in Facebook,I Got AppId and App Secret,i stored them.Now,Where should i create a Object OAuth_Service__c ? in my salesforce org ? Please clarify me.,and From Where should get AccessTokenUrl,AuthUrl ,CallBackURL,CallBackURL,ReqTokenUrl,they are default to everyone as u mentioned in your post.
Looking forward for your Next Post….
Thanks & Regards
Neha
I will be writing my next blog shortly.
I am on Christmas vacation.
Thanks..
An intriguing discussion is definitely worth
comment. I believe that yoou ought to write more about this
subject matter, it may nott be a taboo subject but typically
peopple ddo not talk about such subjects. To the next! Best wishes!!