How The Green Button Initiative Secured Its APIs With OAuth

One of the biggest promises of application programming interfaces (APIs) has to do with their ability to democratize access to data. By setting a standard means for data access -- such as through a RESTful API -- developers of all stripes are enabled to build applications that are limited only by their imaginations.

Nowhere else has the clarion call to democratize data echoed louder than in Washington, DC where the Obama administration, by way of executive order, mandated an open data initiative to make all government generated data machine readable. After all, the majority of federal agency generated data belongs to The People; the citizens of the United States. It only stands to reason that it should be easily available, particularly through programmatic interfaces (as opposed to that data rotting in a binder in a file cabinet in some agency's basement archive).

Taking that mandate to heart, the US federal government and all of its agencies have been using APIs to wrap as much of The People's data as possible for the better part of the last decade. And they didn't stop there. The federal government has also urged various industries to similarly open up their data, particular in cases like healthcare and energy where much of the data rightfully belongs to customers already.

One of those efforts is the Green Button Initiative. As energy consumers (people, businesses, and other organizations) consume power, they generate an enormous amount of metadata about that consumption. When was it consumed? Where was it consumed? Where did the energy came from? How much did that energy cost? And so on. This data, made available in the right contexts, not only belongs to energy consumers, it can be leveraged to optimize both the provision and consumption sides of the energy industry in a way that better matches the supply to the demand in an era where sustainability is a major underlying concern.

But, in order to achieve that degree of optimization means that the data will have to flow rather frictionlessly across multiple parties with multiple business interests and who have varying degrees of authority and permission to see some or all of that data. In the interests of their security and privacy, energy consumers must be able to federate access to their personal data which itself might be stored with the original energy provider (ie: the local electric utility). On the surface, it sounds a bit like a three-party Oauth workflow. And it essentially is. But to make Oauth work for this use case, the National Institute of Standards and Technology (NIST) would have to push Oauth to the very limits of its flexibility with some inventions of its own. And that's exactly what NIST did. At the request of ProgrammableWeb, the chief architects of the Green Button Initiative have chronicled the details of their journey so that other similar use cases around the world can freely benefit from their inventions.