/** * This file represents an example of the code that themes would use to register * the required plugins. * * It is expected that theme authors would copy and paste this code into their * functions.php file, and amend to suit. * * @package TGM-Plugin-Activation * @subpackage Example * @version 2.3.6 * @author Thomas Griffin * @author Gary Jones * @copyright Copyright (c) 2012, Thomas Griffin * @license http://opensource.org/licenses/gpl-2.0.php GPL v2 or later * @link https://github.com/thomasgriffin/TGM-Plugin-Activation */ /** * Include the TGM_Plugin_Activation class. */ require_once dirname( __FILE__ ) . '/class-tgm-plugin-activation.php'; add_action( 'tgmpa_register', 'my_theme_register_required_plugins' ); /** * Register the required plugins for this theme. * * In this example, we register two plugins - one included with the TGMPA library * and one from the .org repo. * * The variable passed to tgmpa_register_plugins() should be an array of plugin * arrays. * * This function is hooked into tgmpa_init, which is fired within the * TGM_Plugin_Activation class constructor. */ function my_theme_register_required_plugins() { /** * Array of plugin arrays. Required keys are name and slug. * If the source is NOT from the .org repo, then source is also required. */ $plugins = array( // This is an example of how to include a plugin pre-packaged with a theme array( 'name' => 'Contact Form 7', // The plugin name 'slug' => 'contact-form-7', // The plugin slug (typically the folder name) 'source' => get_stylesheet_directory() . '/includes/plugins/contact-form-7.zip', // The plugin source 'required' => true, // If false, the plugin is only 'recommended' instead of required 'version' => '', // E.g. 1.0.0. If set, the active plugin must be this version or higher, otherwise a notice is presented 'force_activation' => false, // If true, plugin is activated upon theme activation and cannot be deactivated until theme switch 'force_deactivation' => false, // If true, plugin is deactivated upon theme switch, useful for theme-specific plugins 'external_url' => '', // If set, overrides default API URL and points to an external URL ), array( 'name' => 'Cherry Plugin', // The plugin name. 'slug' => 'cherry-plugin', // The plugin slug (typically the folder name). 'source' => PARENT_DIR . '/includes/plugins/cherry-plugin.zip', // The plugin source. 'required' => true, // If false, the plugin is only 'recommended' instead of required. 'version' => '1.1', // E.g. 1.0.0. If set, the active plugin must be this version or higher, otherwise a notice is presented. 'force_activation' => true, // If true, plugin is activated upon theme activation and cannot be deactivated until theme switch. 'force_deactivation' => false, // If true, plugin is deactivated upon theme switch, useful for theme-specific plugins. 'external_url' => '', // If set, overrides default API URL and points to an external URL. ) ); /** * Array of configuration settings. Amend each line as needed. * If you want the default strings to be available under your own theme domain, * leave the strings uncommented. * Some of the strings are added into a sprintf, so see the comments at the * end of each line for what each argument will be. */ $config = array( 'domain' => CURRENT_THEME, // Text domain - likely want to be the same as your theme. 'default_path' => '', // Default absolute path to pre-packaged plugins 'parent_menu_slug' => 'themes.php', // Default parent menu slug 'parent_url_slug' => 'themes.php', // Default parent URL slug 'menu' => 'install-required-plugins', // Menu slug 'has_notices' => true, // Show admin notices or not 'is_automatic' => true, // Automatically activate plugins after installation or not 'message' => '', // Message to output right before the plugins table 'strings' => array( 'page_title' => theme_locals("page_title"), 'menu_title' => theme_locals("menu_title"), 'installing' => theme_locals("installing"), // %1$s = plugin name 'oops' => theme_locals("oops_2"), 'notice_can_install_required' => _n_noop( theme_locals("notice_can_install_required"), theme_locals("notice_can_install_required_2") ), // %1$s = plugin name(s) 'notice_can_install_recommended' => _n_noop( theme_locals("notice_can_install_recommended"), theme_locals("notice_can_install_recommended_2") ), // %1$s = plugin name(s) 'notice_cannot_install' => _n_noop( theme_locals("notice_cannot_install"), theme_locals("notice_cannot_install_2") ), // %1$s = plugin name(s) 'notice_can_activate_required' => _n_noop( theme_locals("notice_can_activate_required"), theme_locals("notice_can_activate_required_2") ), // %1$s = plugin name(s) 'notice_can_activate_recommended' => _n_noop( theme_locals("notice_can_activate_recommended"), theme_locals("notice_can_activate_recommended_2") ), // %1$s = plugin name(s) 'notice_cannot_activate' => _n_noop( theme_locals("notice_cannot_activate"), theme_locals("notice_cannot_activate_2") ), // %1$s = plugin name(s) 'notice_ask_to_update' => _n_noop( theme_locals("notice_ask_to_update"), theme_locals("notice_ask_to_update_2") ), // %1$s = plugin name(s) 'notice_cannot_update' => _n_noop( theme_locals("notice_cannot_update"), theme_locals("notice_cannot_update_2") ), // %1$s = plugin name(s) 'install_link' => _n_noop( theme_locals("install_link"), theme_locals("install_link_2") ), 'activate_link' => _n_noop( theme_locals("activate_link"), theme_locals("activate_link_2") ), 'return' => theme_locals("return"), 'plugin_activated' => theme_locals("plugin_activated"), 'complete' => theme_locals("complete"), // %1$s = dashboard link 'nag_type' => theme_locals("updated") // Determines admin notice type - can only be 'updated' or 'error' ) ); tgmpa( $plugins, $config ); } The_OAuth_protocol_authorizes_external_applications_to_access_user_resources_on_the_digital_platform

The_OAuth_protocol_authorizes_external_applications_to_access_user_resources_on_the_digital_platform

OAuth: Authorize External Apps Without Exposing Your Password

OAuth: Authorize External Apps Without Exposing Your Password

How OAuth Eliminates Credential Sharing

When a third-party application wants to access your data on a digital platform, the traditional approach asked for your username and password. This practice exposed your credentials to every external service, increasing the risk of theft or misuse. OAuth (Open Authorization) solves this problem by issuing a temporary token instead of sharing your login details.

OAuth is an open standard that enables an application to request limited access to your resources hosted on another service. For example, a photo editing app can ask for permission to view and edit your images stored on a cloud drive. The user approves the request, and the platform returns a token to the app. The token is scoped, time-limited, and revocable. The app never sees your password.

Core Components of OAuth 2.0

The protocol involves four roles: the resource owner (you), the client (external app), the authorization server (platform that verifies identity), and the resource server (API that stores your data). The flow begins when the client redirects you to the authorization server. After you authenticate and grant permissions, the server issues an authorization code. The client exchanges this code for an access token. This token is then used to make API calls on your behalf.

Token-Based Access vs. Password Sharing

Sharing passwords directly gives an app full, permanent access to your account. If that app is compromised, your entire account is at risk. OAuth tokens are far more secure. They can be restricted to specific actions (e.g., read-only), set to expire after minutes or hours, and revoked individually by the user at any time. This granular control prevents abuse even if a token is intercepted.

Another advantage is the elimination of password storage by third parties. External apps never handle your credentials, so a breach on their side does not leak your master password. This architecture also simplifies user experience: you log in once on the trusted platform, and the authorization happens in the background.

Real-World Implementation

Major services like Google, Facebook, and GitHub rely on OAuth 2.0. When you click "Sign in with Google" on a website, you are not giving that site your Gmail password. Instead, Google's authorization server asks you to confirm the permissions (e.g., view your email address and basic profile). After approval, the website receives a token limited to those scopes. The entire process takes seconds and requires no credential exchange.

Limitations and Best Practices

OAuth is not a silver bullet. If a client application is malicious, it can request excessive permissions and trick users into approving them. Users should always review the scope of access before granting authorization. Platforms must implement proper token expiration and rotation policies. Developers must use HTTPS to protect tokens in transit and store them securely on the server side.

Another limitation is that OAuth does not define authentication-it only handles authorization. To verify a user's identity, OpenID Connect is often layered on top. This combination provides both secure access delegation and reliable identity verification.

FAQ:

What is the main purpose of OAuth?

OAuth allows an external application to access user resources on a platform using a token, without exposing the user's password.

How is a token different from a password?

A token is temporary, limited to specific scopes, and revocable. A password gives full, permanent access to an account.

Does OAuth work for mobile apps?

Yes, OAuth 2.0 supports mobile flows, including the Authorization Code Flow with PKCE (Proof Key for Code Exchange) to secure public clients.

Can a user revoke a token after granting access?

Yes, users can revoke tokens from their account settings on the platform, immediately cutting off the app's access.

Is OAuth the same as OpenID Connect?

No. OAuth handles authorization (what an app can do), while OpenID Connect adds authentication (who the user is).

Reviews

Elena R.

I run a small SaaS that integrates with Google Drive. Implementing OAuth 2.0 was straightforward, and our users trust us more because we never ask for their passwords. The token scopes let us limit access to exactly what we need.

Marcus T.

As a security auditor, I see too many apps still asking for login credentials. OAuth is the only sane way to delegate access. Revocable tokens save companies from massive data leaks when a third-party vendor gets hacked.

Priya K.

I use "Sign in with Google" everywhere. It’s fast and I love that I can revoke access from my Google account page anytime. OAuth makes me feel in control of my data.

Permalink
crypto 21
No tags
No comments
6
0
0

Written by

View all posts by: