OAuth Coming to All Google Data APIs

Standardization, or lack thereof, around identity, Authentication and authorization for open web APIs is one of the greatest challenges to mashup application developers today. So it's quite notable that Google not only just quietly added OAuth support to their Google Contacts API but also stated that "This is our first step towards OAuth enabling all Google Data APIs." With over a dozen GData APIs to date and more on the way, this is a significant endorsement of this relatively new standard.

OAuth, which we covered last fall, is an API access delegation protocol that has been described as your valet key for the web:

Like the feature on many cars today where you give the parking attendant a special key to your car that gives him some, but not all, access to your vehicle. On the Web you now have your own keys to dozens of sites but how to best handle the mashup-style case of site A wants you to grant them access to get some data from site B? Ideally you don’t want to give site A your password to site B. OAuth aims to simplify this problem: “It allows you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User).”

This marks at least the second API from one of the major providers to now support OAuth: earlier this year, the innovative Yahoo Fire Eagle API integrated OAuth support.

Be sure to read the next Security article: Paris Hilton Photos Leaked via API Security Breach