Releasing IRIS OAuth for Developers at NITK

Post Image

Announcing the release of IRIS OAuth v1, IRIS is proud to release its OAuth API to all NITK Developers which can be used by Student Clubs, Incident, Engineer and open to collaboration with NITK Startups provided due permission is taken from the respective people. IRIS OAuth provider acts a gateway for Third-party applications/websites to authenticate users via IRIS. Kindly check out the given link to know more about it!

There are various scopes which need permission from specific people which can directly be found here. Each Scope gives greater access to information on IRIS given a student/faculty’s consent when they sign up for it.

There’s a lot of confusion around what exactly OAuth is and whether it’s just another ‘thing’ that is used to login or whether it is a “security thing”. This article deals with explaining what exactly OAuth is, how it works and addresses the most important question in the GDPR-era whether your data is safe or is it exposed?

What is OAuth?

In very basic terms, OAuth can’t really be categorised as an API or a service, in fact it is an open standard for authorisation and anyone can implement it.

Why OAuth?

In earlier times, a user would have to enter his/her username and password and that particular application would log you in. This gave rise to various problems and for sake of convenience came forward the question, “How can I allow an app to access my data without necessarily giving it my password?”

Facebook uses OAuth very heavily for developers to use information for other developers to use in their applications. If you have ever seen the image below, that is basically OAuth. This permission basically allows the application to access the data on your behalf.

Facebook OAuth Facebook OAuth

OAuth as a principle can be thought of as a Hotel Key Card. The Hotel Room can be thought of as the User’s Data that you are asking permission to use and the Hotel Front Desk can be thought of the user. If the Hotel Front Desk gives you the Hotel Key Card and approves your use you can use it to access the Hotel Room. Similarly if the User gives the Application to access his data via OAuth, the application can access the User’s data.

To break it down in a much more simple manner, OAuth basically is:

  1. The Application requests authorization from the User to authorize the Application to obtain the User’s Data.
  2. The User authorizes the Application and submits proof.
  3. The Application presents the proof of authorization to server to get a Token.
  4. The Token is restricted to only access what the User authorized for the specific Application.

Is my data given to IRIS at risk because of this?

No, and this is due to the following reasons:

  1. The OAuth Service allows the application to access your data only if you authorize it do so. IRIS only acts as a delivery person which delivers your data to the required application
  2. You can choose whether you’d like to share your data with the required application or not when you are using the OAuth Service. You will be shown exactly what all data is being shared with the service. In case you would not want to share your data, you can choose not to sign up for that application using ‘Sign In with IRIS’.

How is this useful?

The IRIS OAuth Service allows developers to accurately verify the information of a user. Information is provided as per the consent of the user and as per the permission taken by the particular application. To know more about permissions, kindly check out the following link for more information.

Who will it benefit?

For a long time in NITK, it had been very difficult to verify whether a student is a genuine NITK Student or not whether for Fests or for various administrative purposes. Over the years as IRIS came into the picture, with integration of Academic Modules in IRIS, this problem was significantly reduced. However the student community continued to face this problem, especially young startups operating inside NITK and Student Fests like Incident and Engineer to correctly determine whether a user is a NITKian or not!

Credits

The IRIS OAuth API v1 has been created with Hrishikesh Hiraskar, final year student from Computer Science Department in collaboration with Akshay Revankar, IRIS Team Lead, 2017-2018.