How does OAuth work?
Social media such as Facebook and Twitter have been the largest early adopters of OAuth, owing much of their success to being platforms that encourage integration with other applications. The integration points are RESTful APIs that typically use OAuth as a means of authentication, authorization and binding together of different personal accounts. You probably have separate accounts on both of these social media powerhouses. So, how can you set things up so that your tweets show up instantly on your Facebook wall?
In the past, you would probably have had to store your Facebook username and password in your Twitter profile. This way, whenever you published a new tweet, the Twitter application could sign on for you to cross‐post it onto Facebook. This approach has come to be called the password anti‐pattern and it is a bad idea for a number of reasons. Entrusting Twitter with your Facebook password simply gives this application too much power. If a hacker was to compromise the site or an internal administrator went rogue, they could leverage your plain text password to post damaging pictures, lock you out of Facebook or even delete your entire account. Fortunately, they both use OAuth to overcome this challenge. OAuth provides a delegated authorization model permitting Twitter to post on your wall-but nothing else.
From their Twitter settings panel, a user clicks on a button that transfers them to Facebook, where they can sign in, creating an association between this user's two separate accounts without any involvement from Facebook or Twitter security administrators. Once authenticated on Facebook, the user undergoes a consent ceremony, where they can choose the subset of privileges they want to grant to Twitter to permit the application to perform actions on their behalf. Finally, the user returns automatically to Twitter, where they can resume posting tweets, which now appear on their Facebook wall as well. The relationship they have set up persists indefinitely or until they decide to break it explicitly, using controls found on the settings page.