OAuth Spec 1.0 = More Personal Mashups?

A piece of the mashup puzzle that could lead to more interesting and useful applications has taken a step forward this week: the final draft of the OAuth specification is now available. What is it and why does it matter? Since there are already some very good explanations out there, here are the essentials drawn from Eran Hammer-Lahav and his OAuth series:

  • Shortest explanation possible: An API access delegation protocol
  • Your valet key for the web: Like the feature on many cars today where you give the parking attendant a special key to your car that gives him some, but not all, access to your vehicle. On the Web you now have your own keys to dozens of sites but how to best handle the mashup-style case of site A wants you to grant them access to get some data from site B? Ideally you don't want to give site A your password to site B. OAuth aims to simplify this problem: "It allows you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User)."
  • Versus OpenID: OAuth and OpenID are related but are not solving the same problem and do not depend upon one another. "While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are."
  • History: Started with informal discussions in November 2006 about OpenID and delegated authentication; April 2007 Google group started, this summer initial spec drafted, and now at 1.0 final draft.
  • Who's going to be implementing it?: "At the time of writing this, we expect initial implementations from (in alphabetical order) Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, and hopefully Google, Yahoo, and others soon to follow."
  • Inputs: Given that this is not a new problem, the creators of this spec drew from a variety of related efforts including existing protocols like Yahoo BBAuth, Google Web Auth, Flickr API and others.
  • OAuth links: the OAuth spec and lots of related links.

This very promising specification moved along quickly thanks to hard work and cooperation from those involved. This sort of standards effort and events like Data Sharing Summit are helping move the mashup ecosystem forward.

For more coverage see Marshall Kirkpatrick at Read/WriteWeb, Brady Forrest at O'Reilly Radar, Microsoft's Dare Obasanjo, and Chris Messina.

John Musser



I'm always weary of signing up for yet another service. It'll be nice to be able to get access to some services using a more decentralized ID system. I hope this system isn't used to transfer information seamlessly between sites though. It is a disturbing trend that each site wants to know about what you do on another site. Ease of use is a horrible reason to leak data improperly to sites that have not asked permission properly.

[...] which we covered last fall, is an API access delegation protocol that has been described as your valet key for the web: Like [...]

[...] another technology I need to start looking into: OAuth. ProgrammableWeb describes it as: Like the feature on many cars today where you give the parking attendant a special [...]

[...] hardly a new technology. We wrote about the spec for the first version in 2007, noting the potential for more personal mashups. It has been adopted by many services including the Twitter API and multiple APIs from both Google [...]

Hey! This post could not be written any better! Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this write-up to him. Fairly certain he will have a good read. Thanks for sharing! <a href="http://kaffeevollautomatentest.com/" rel="nofollow">Kaffeevollautomaten Test</a>

Hey, das Thema weckt mein Interesse, gibt es schon ein wenig neuere "Fakten"?

Habe auf deiner Site leider ziemlich wenig entdeckt.