OAuth: Open Authentication Comes Closer to Reality

Tue

Sep 25
2007

listen

OAuth: Open Authentication Comes Closer to Reality

oauth
The draft of the Open Authentication (OAuth) Spec is available for review. OAuth is a protocol for sharing information on a service without giving out that service's credentials to the asking party. In other words, it lets sites like Flickr (who already does this) let other sites and applications access its users photos without them having to provide their username and password to the asking site. I never like giving up my credentials to another site, but everytime I test out a new social network it is very tempting despite the risks.

The spec was developed by representatives from Pownce, Twitter, SixApart (who also recently made a move towards opening their social graph; Radar post), Jaiku, Flickr, Ma.gnolia,Google, Citizen Agency and others.

This passage from the spec explains their goals:

The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication.

An example use case is allowing printing service printer.example.com (the Consumer), to access private photos stored on photos.example.net (the Service Provider) without requiring Users to provide their photos.example.net credentials to printer.example.com.

OAuth does not require a specific user interface or interaction pattern, nor does it specify how Service Providers authenticate Users, making the protocol ideally suited for cases where authentication credentials are unavailable to the Consumer, such as with OpenID.

OAuth aims to unify the experience and implementation of delegated web service authentication into a single, community-driven protocol. OAuth builds on existing protocols and best practices that have been independently implemented by various websites. An open standard, supported by large and small providers alike, promotes a consistent and trusted experience for both application developers and the users of those applications.

Personally, I am tired of being asked by websites to enter my credentials to GMail, Hotmail, AIM, Yahoo! Mail, etc. I don't like the idea of giving away that information. Not because I think that they will do something wrong with that information (though the quetchup certainly has proven that to be a faulty assumption after spamming people's address books), but because sharing credentials makes them less secure. OAuth is an important step in letting us have control of our internet identities. Give the producers feedback and then support it. Please!

Updated: Added Flickr and Magnolia to the representatives working on OAuth

tags: web 2.0 | comments: 9 | Sphere It
submit:

Previous | Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/5876

Comments: 9

Niklas Andersson [09.26.07 05:10 AM]

Why all new complicated protocols when the solution has existed for several years? PKCS12 is the personal certificate that you can use for signing/encrypting mails/documents/etc AND identify yourself to a website. I wouldnt mind keeping my PKCS12-file on a USB-stick and carry it with me in my keyring together with the rest of the keys in my pocket.

I also dislike introducing my user/pass on 20+ websites that I subscribe to. Please give me the possibility to use my PKCS12-file.

PKI √ºber alles

Best regards,
Niklas Andersson, TechWorld Open Source

Swashbuckler [09.26.07 07:53 AM]

Why this instead of OpenID?

patcito [09.26.07 09:52 AM]

@Swashbuckler: OpenID doesn't work with http authentication it needs html and redirection so using it with an API doesn't work. This is why Twitter is not using it for now, because they would have to force their OpenID users to have a non openid account if they want to use the API. So users would need to remember two different account for the same service which would really suck hard :-)

Chris Messina [09.26.07 05:30 PM]

@Niklas Andersson: How you identify yourself is outside the scope of OAuth. That's OpenID's realm. OAuth is specifically about how you authorize a Consumer to access protected resources on a Service Provider.

It up to the Service Provider to support your preferred method of identification.

@Swashbuckler: OAuth is compatible with OpenID. In fact, when I was helping get this started, one of the things that stood in the way of advancing OpenID was the lack of support for desktop clients. Since I wanted Twitter to support OpenID, I needed a way to do delegated authentication and, eight months later, we'll be releasing OAuth! ;)

Niklas Andersson, TechWorld Open Source [09.27.07 02:57 AM]

@Chris Messina

Thanks! My bad - I should have read the post more carefully. Of course you're right. oAuth doesn't work like OpenID. I just read the Authentication-part. There are differences between Authentication and Authorization - I guess oAuth should be Authorization then. Authentication is identity management. Authorization is rights management. I.e what information to give to what authenticated party.

rick [09.28.07 12:12 PM]

What's the difference between this and the Liberty Alliance and MSFT Passport of yore?

Timothy Murray [09.28.07 12:49 PM]

While I'm curious about the relationship of OAuth to OpenID. And, yes I see the relationship to the MSFT Passport I tend to see Shibboleth, Athens and Kerberos in my area of work.

Do any of these work well on mobile devices, or is that a pointless question?

Custom [12.03.07 04:21 PM]

One more thing. OAuth consumer for Tiger and Leopard available now. You can get the code via anonymous SVN here
http://oauth.googlecode.com/svn/code/obj-c1
... if needed.