OAuth Spec 1.0 = More Personal Mashups?

A piece of the mashup puzzle that could lead to more interesting and useful applications has taken a step forward this week: the final draft of the OAuth specification is now available. What is it and why does it matter? Since there are already some very good explanations out there, here are the essentials drawn from Eran Hammer-Lahav and his OAuth series:

  • Shortest explanation possible: An API access delegation protocol
  • Your valet key for the web: Like the feature on many cars today where you give the parking attendant a special key to your car that gives him some, but not all, access to your vehicle. On the Web you now have your own keys to dozens of sites but how to best handle the mashup-style case of site A wants you to grant them access to get some data from site B? Ideally you don't want to give site A your password to site B. OAuth aims to simplify this problem: "It allows you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User)."
  • Versus OpenID: OAuth and OpenID are related but are not solving the same problem and do not depend upon one another. "While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are."
  • History: Started with informal discussions in November 2006 about OpenID and delegated Authentication; April 2007 Google group started, this summer initial spec drafted, and now at 1.0 final draft.
  • Who's going to be implementing it?: "At the time of writing this, we expect initial implementations from (in alphabetical order) Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, and hopefully Google, Yahoo, and others soon to follow."
  • Inputs: Given that this is not a new problem, the creators of this spec drew from a variety of related efforts including existing protocols like Yahoo BBAuth, Google Web Auth, Flickr API and others.
  • OAuth links: the OAuth spec and lots of related links.

This very promising specification moved along quickly thanks to hard work and cooperation from those involved. This sort of standards effort and events like Data Sharing Summit are helping move the mashup ecosystem forward.

For more coverage see Marshall Kirkpatrick at Read/WriteWeb, Brady Forrest at O'Reilly Radar, Microsoft's Dare Obasanjo, and Chris Messina.

Be sure to read the next Security article: Can an API Steal Data?