A company develops a third-party application that needs to access user data from a popular social media platform without exposing user credentials. Which method provides the most secure way for the application to request and receive authorization to access the platform's data on the user's behalf?
Embed user credentials in the application code and authenticate directly with the social media platform.
Use basic access authentication by sending a base64-encoded string containing the user's username and password in each request.
Store user credentials locally on the user device and reuse them to authenticate every session with the social media platform.
Use the OAuth protocol to request an authorization code and exchange it for an access token from the social media platform.
OAuth enables a user to grant a third-party application scoped access by issuing an access token through the platform's authorization server. Because the token, not the user's password, is presented in subsequent API calls, the user's credentials remain undisclosed. Methods that embed or transmit passwords-whether stored locally, hard-coded, or sent with basic authentication-violate least-privilege and credential-handling best practices and are therefore less secure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is OAuth, and how does it work?
Open an interactive chat with Bash
How does using OAuth align with the principle of least privilege?
Open an interactive chat with Bash
What are the security risks of embedding or storing user credentials in an application?