OAuth: How Does ‘Login With Facebook/Google’ Work?

It is absolutely safe to log in on apps and third-party websites using your Facebook or Google account. Big tech companies (e.g., Google, Facebook etc.) use a standard called OAuth, which allows third-party websites to access and retrieve select pieces of information from these big websites in order to authenticate users.

Before we delve deeper into this technological mystery of logging in on websites, let’s take a quick look at the technological mechanism in question.

What is OAuth?

OAuth is a protocol that helps ‘big’ websites (websites that have a very large number of users, such as Google, Facebook etc.) grant access to its users’ information to third-party websites or applications without sharing the users’ passwords and other private, sensitive details.

Oauth Logo

The official OAuth Logo (Photo Credit : Wikipedia Commons)

In more technical terms, OAuth is an open standard for secure access delegation, which means it is a service that allows web giants like Google or Microsoft to permit its users to share their own select pieces of information with third-party websites or applications, while protecting the confidential info of users at the same time.

social media collage

OAuth is generally used by websites or applications like Facebook, Google, Twitter and Microsoft, all of which have a humongous  user database.

A hypothetical situation where OAuth fits perfectly

Suppose you want to make some quick edits to an image online. You go to a website, say, Canva, which helps you edit your image directly in your web browser window. However, there’s a catch; in order to use its services, Canva requires you to sign up.

Since the image only requires 5-6 minutes of quick editing, you might not feel like spending even more time filling out a sign-up form from scratch. Or you might just be too bored to fill out a form. I know plenty of people who frown at the mere sight of a sign-up page!

, OAuth: How Does ‘Login With Facebook/Google’ Work?, Science ABC

To be honest, I think it’s fairly reasonable to get upset. In the modern, fast-paced world, where the attention span of an Internet user is less than a minute, asking a user who intends to spend only a few minutes on your website to sign up and create an account from scratch is actually asking a lot! The user might just leave such a ‘demanding’ website and find another that doesn’t require them to sign up for anything.

How OAuth saves you from hassles of Signing Up?

Most third-party websites (that require you to have an account) understand the reluctance of users to create new accounts. In a bid to ensure that they do not lose out on such ‘reluctant’ users, these third-party websites implement the OAuth standard in their system.

An OAuth-enabled third-party website (e.g., Canva) typically gives you 2 options: either sign up the ‘conventional way’, i.e., by filling out an online form, or sign up using Facebook or Google.

Website login with facebook

Notice the two methods of signing up on an application: one allows you to use your social media accounts, while the ‘conventional’ one uses your email.

Canva, like virtually all websites on the Internet, knows that Facebook and Google have a mammoth user base (i.e., the number of users of their services runs in the billions), and it bets on the fact that you might have an account on either/both of those websites (Google/Facebook).

Therefore, instead of asking a new user to fill out a sign-up form manually, which could potentially take 10 minutes or more, depending on the speed and ‘annoyance level’ of the user, Canva simply asks you to sign up using your Google/Facebook account.

​How does OAuth work?

This is basically how the OAuth standard works:

Suppose, you (the user) need to sign up/create an account on a third-party website/application (e.g., Canva).

First, you click on the “Sign up with Facebook’ button.

Canva login with facebook

Photo Credit ; Canva.com

It redirects you to Facebook.com and checks whether you are already logged in to Facebook. If you’re not, then it prompts you to enter your username and password to access your account. Once logged in, it shows you a small dialog box that describes the kind and extent of information that you’ll be sharing with the third-party website. If you are okay with sharing the required info with that third-party website, you press the ‘Continue’ button.

login with facebook

The info that Canva, a third-party website, wants to access through Facebook (Photo Credit : Facebook)

If you’re not okay with the info that’s going to be shared with the third-party website, you can always edit your preferences.

login with facebook

Photo Credit : Facebook

Now, Facebook redirects you to the concerned third-party website with an authentication code, which is basically Facebook’s way of telling the website that ‘yes, this person holds a valid account with me’.

The website now shows Facebook the unique code it acquired when it first registered itself with Facebook as a legitimate website/application. Facebook uses that code to verify the identity of the website, and in return, grants an access token to the website.

Third-party website You login with your credentials Login with Facebook redirects to third party website with authentication code TPW uses that Authentication code to get an Access token

(Photo Credit : Scienceabc.com)

It is this token that the website uses to gain restricted/limited access to some of your account information, usually consisting of your name, email address, gender and so on.

This is, in essence, how OAuth helps big websites like Google or Facebook grant limited access to users’ select pieces of information to third-party applications. To read more about the entire process, check out the official pages of Facebook and Google that discuss this system in great detail (links are provided in the references section).

In a nutshell, OAuth basically lets you give third-party websites a special key that opens only one door of your house and simultaneously protects the master key (i.e., the username and password of Google/Facebook), which can open all the doors of the house.

Help us make this article better
About the Author

Ashish is a Science graduate (Bachelor of Science) from Punjabi University (India). He spends a lot of time watching movies, and an awful lot more time discussing them. He likes Harry Potter and the Avengers, and obsesses over how thoroughly Science dictates every aspect of life… in this universe, at least.

Science ABC YouTube Videos

  1. Cellular Respiration: How Do Cell Get Energy?Cellular Respiration: How Do Cell Get Energy?
  2. Multiverse Theory Explained: Does the Multiverse Really Exist? Truth of Multiple RealitiesMultiverse Theory Explained: Does the Multiverse Really Exist? Truth of Multiple Realities
  3. What Exactly is Spacetime? Explained in Ridiculously Simple WordsWhat Exactly is Spacetime? Explained in Ridiculously Simple Words
  4. What Are The Different Atomic Models? Dalton, Rutherford, Bohr and Heisenberg Models ExplainedWhat Are The Different Atomic Models? Dalton, Rutherford, Bohr and Heisenberg Models Explained
  5. Why Is Blood Drawn From Veins And Not From Arteries?Why Is Blood Drawn From Veins And Not From Arteries?
  6. Emotions and the Brain: What is the limbic system?Emotions and the Brain: What is the limbic system?
  7. Dark Matter Explained: What Exactly is Dark Matter? | A Beginner’s Guide to Dark MatterDark Matter Explained: What Exactly is Dark Matter? | A Beginner’s Guide to Dark Matter
  8. What Exactly is a Tesseract? (Hint: Not a Superhero Stone)What Exactly is a Tesseract? (Hint: Not a Superhero Stone)