Don’t get we wrong, OAuth is great, or at least I hope it will be considering the number of hours I put in this week into getting the spec ready for prime time. But I’ve been hearing a lot of chatter lately on what OAuth is good for and some of it makes little sense to me. I don’t want to point at specific examples as some of them come from people I truly admire, but they are there. At the Data Sharing Summit, OAuth was thrown into the mix of solutions to problems it had nothing to do with.
OAuth is perfect for any case where you don’t want to give your username and password, but instead wants to give something else you can revoke at any time, that will give another site limited access to your stuff. I have been busy the past couple of nights writing a new complete OAuth example for the spec. It begins something like this:
In this example, the Service Provider photos.example.com is a photo sharing website, and the Consumer printer.example.com is a photo printing website. Jane, the User, would like printer.example.com to print the private photo `vacation.jpg` stored at photos.example.com.
When Jane signs-into photos.example.com using her username and password, she can access the photo by going to the URL `http://photos.example.com/file=vacation.jpg`. Other Users cannot access that photo, and Jane does not want to share her username and password with printer.example.com.
For me, this is the ultimate example. Where are some places OAuth doesn’t belong? To start with, at the Service Provider. This might sound obvious but it is not (to some people). Another test is if OAuth makes life more difficult. If you currently just enter a username and password into some application, but will now have to go through a whole bunch of steps, screens, and prompts, it probably means they shouldn’t have used OAuth.
OAuth replaces one dialog for username and password (which is the typical credential set – OAuth does not mention usernames and password specifically) with 2 dialogs: one for username and password, and another for asking you if you want to give some site access to you private stuff. That’s it. If you read OAuth and think it is perfect for what you are doing, ask yourself if you will be able to stick to this simple flow – if not you might be using the wrong tool.
The one place OAuth does not belong but should be anyway is the DMV! It will not make things better but you’ll know the steps to that dance.
‘OAuth at the DMV’ was written by me, created by Christopher Carrasco.