Scott's Workblog

This blog has moved! Go to my new blog!

November 17, 2008

oAuth heading for IETF standardisation

oAuth is a mechanism by which users can authorize websites to grant third party applications access to user's information without sharing their credentials. This is increasingly important for things like iPhone applications, widgets, and other applications that connect to online services. oAuth itself isn't new, but moving towards IETF standardisation is a significant step.

The announcement was very brief; there isn't even any mention of it on the actual oAuth website, just a thread on the discussion forum, but in October a draft of the oAuth core specification was submitted to IETF as an Internet Draft for development into an Internet Standard.

This is one of the first steps in what can be a long process; however, oAuth Core 1.0 is now a mature community specification, with a large number of implementations now available, which should make the process much easier than with a relatively untested concept.

oAuth solves a common problem in mashups and services, which is that in order to perform a service for the user, you require access to something of theirs on another site - their photos on Flickr, or their buddy list on AOL, or some other set of privileged access.

Typically applications have handled this by getting the user to share their login information, and have then acted as the user. For example, if you wanted to have Flickr announce your photos on your LiveJournal, you did this by telling Flickr your LiveJournal username and password.

oAuth replaces this with a process whereby the application directs you to your account and lets you login there, granting a "valet key" to the application that lets it access particular services or information. Importantly. this "valet key" enables the application to act as itself, distinguishing its actions on your behalf from your own use of the service.

oAuth is already implemented in a surprising number of places; its a testimony to its effectiveness that for the most part users are completely unaware of it. For an example of how it works, take a look at how Pownce on iPhone uses oAuth. Developers may also be interested in Google's oAuth Playground for using oAuth support in GData applications.

main archive