With the advent of Internet and the development of various web application and services, such as email, it became necessary for users to share their valuable credentials with applications in order to be able to access their resources on websites and services. For example, an email application would require the user’s username and password in order to connect to the email server and retrieve/send emails.
It became evident that such practice is insecure similarly to giving your house keys to a stranger. Since the same credentials could be used for accessing the actual account information, serious implications would arise if those keys had been stolen or leaked.
In 2006, a new method of access delegation went into development, which was called OAuth (sort for “Open Authorization”), that would grant applications and services delegated access to users’ resources without the need to share their credentials and would provide access only to resource users wanted to access. For example, an email application can access only the user’s mailboxes and nothing else, or a file manager application can access the user’s files stored in cloud storage.
Eventually OAuth became an industry standard and currently its latest revision 2.0 is being used by every major company such as Amazon, Facebook, Google, Microsoft, Twitter and many others. Applications that need to access resources on behalf of the users have no other option but to use OAuth in order to be authorized to do so.
The current OAuth 2.0 is an improved version of the original OAuth 1.0. A newer version, OAuth 2.1 is in draft stage and consolidates changes made to OAuth 2.0 over the years since its introduction plus some security enhancements.
The OAuth is essentially a workflow protocol describing the steps taken leading to a successful authorization. In brief, its purpose is to guide the user to a trusted authorization server, let the user authenticate and provide consent, and in return grant permission to the application to access specific resources with the issue of a unique token.
This flow happens in the presence of the user, with the user participating in various steps of the flow, making him fully aware of the process.
All the above requests to the servers are done by using Hypertext Transfer Protocol Secure (HTTPS) which is exactly the same method used when browsing a secure web site, thus making it safe and easy to implement.
Yes, SyncBack implements OAuth 2.0 when authorizing connections to various supported cloud storages and services such as OneDrive, Google Drive, Dropbox, Office 365, etc., making it easier for users to create multiple profiles targeting the authorized cloud accounts.