OAuth Core 1.0

The OAuth community, to a large extent, emerged out of the OpenID community. Around November 2006, Blaine Cook was investigating adding OpenID support to Twitter, where he served as chief architect. Blaine was also looking for a better authentication method for the Twitter API, one that did not require Twitter users to share their usernames and passwords with third-party applications.

We want something like Flickr Auth / Google AuthSub / Yahoo! BBAuth, but published as an open standard, with common server and client libraries, etc. The trick with OpenID is that the users no longer have passwords, so you can’t use basic auth for API calls without requiring passwords (defeating one of the main points of OpenID) or giving cut-and-paste tokens (which suck).

– Blaine Cook, April 5th, 2007

At the same time, Chris Messina was working together with Larry Halff and the Ma.gnolia team on integrating OpenID into the Ma.gnolia Dashboard Widgets (the Ma.gnolia service was discontinued in February 2009). Blaine and Chris got in touch in December 2006 and organized a meeting with David Recordon (OpenID co-creator) and others at a Citizen Space OpenID meetup to discuss existing solutions.

After reviewing the existing OpenID functionality and the limitations of its design, as well as existing proprietary protocols, the group came to the conclusion that there was a need for a new open standard for API access control that did not require sharing password and was login-agnostic, allowing technologies such as OpenID to be used with API calls. They called the new initiative OpenAuth (inspired by OpenID).

[It's about] providing a standard blueprint for these services to follow so that you can substitute any kind of authentication in the middle of accessing a remote web service and have it work — without needing to build specific implementations for each form of authentication. At once it makes a developer’s life easier by cutting down the number of external auth protocols they need to support and it creates a standard user flow for the end user experience (based on the well-established FlickrAuth flow).

– Chris Messina, July 30th, 2007

In April 2007, the OpenAuth Google group was created with a small group of engineers working together to produce a proposal for such an open protocol. It turned out that this problem wasn’t unique to OpenID, with application developers using other services asking for similar solutions. The original group included Blaine Cook, Kellen Elliott-McCrea, Larry Halff, Tara Hunt, Ian McKeller, Chris Messina, and a few others.

On April 16th, 2007, AOL introduced their OpenAuth protocol. The AOL protocol focused on using the AOL login system to authenticate users on other applications (for example, to log into the AIM service using a third-party application). This forced the group to look for a new name, and on May 5th, 2007, the name OAuth was chosen (pronounced oh-auth).

We need to agree on pronunciation — I really could go either way — as in “oath” or, as Blaine always says “Oh-auth”. Oauth is a good, short name and we have the domains (which is tough for 5 letters). I think that it also has a nice double entente where the idea of an “oath” (like a sacred vow) is being made between you and the originating source of data (the “oath” being that your data provider will act on your behalf and only share your data the way you tell it to) and the built-in “auth” aspect signifies to techie folks what this thing is about.

– Chris Messina, July 9th, 2007

In early June 2007, DeWitt Clinton from Google caught wind of the project and expressed his interest in supporting the effort. DeWitt brought the effort to the attention of the Google security team and got Ben Laurie and Jonathan Sergent involved.

On June 10th, 2007, Blaine Cook and Kellen Elliott-McCrea wrote the first outline. It was, as Kellen put it:

Some notes Blaine and I scrawled down tonight. Trying to nail down the “rough consensus” half of “rough consensus and running code“. They may or may not be penetrable.

– Kellen Elliott-McCrea, June 10th, 2007

On June 14th, David Recordon joined the drafting effort. He also met with George Fletcher and Praveen Alavilli from AOL to discuss the proposal.

The group met again at the end of June 2007 at FooCamp. In July 2007 after the first iPhoneDevCamp, which was well attended and the first time OAuth has been discussed in public, it was decided that the time had come to open it up for others to join.

The public OAuth Google group was created on July 10th, and on July 15th, David Recordon took the collection of notes and turned it into the first real specification draft.

Early OAuth Logo Mockups by Chris Messina

As the group opened up during FooCamp and iPhoneDevCamp, and moved to its new list, other contributors joined the effort like Mark Atwood, John Panzer, Eran Sandler, and Brian Slesinsky. On July 26th, the first public draft was published. On August 5th, 2007, Michal Migurski submitted the first OAuth client implementations in PHP and Python, designed to work with the then-private Twitter OAuth API prototype.

On July 27th, 2007, Eran Hammer-Lahav (while a bit odd, I am going to write about myself in the third person for consistency) joined the project and started contributing to the specification, eventually taking over a community chair and editor. On August 21st and 28th, the group met in person at the Twitter office, with a few people dialing in, and worked together to produce the 0.9 draft.

Between July and November 2007, the community published 7 additional drafts. The drafts received growing interest, community feedback and contributions, most notably, the initial specification cleanup by Larry Halff and Todd Sieling, and the document restructuring and transition to the ‘unified flow’ (a single workflow for the three classes of clients – web-based, desktop, and mobile) by Eran Hammer-Lahav.

On December 4th, the OAuth Core 1.0 specification was declared final at the Internet Identity Workshop, beating OpenID 2.0 by one day. Ma.gnolia had the first live production OAuth implementation. On August 26th, 2008, after help from Gabe Wachob and the Yahoo! legal team, all the original contributors to the OAuth specification and their employer executed the OAuth Non-Assert and License agreement, guaranteeing that the specification will continue to be freely available to all implementers.

OAuth Core 1.0 Revision A

On April 15th, 2009, Twitter released a delegated user authentication solution called ‘Sign-in with Twitter’ using the OAuth protocol. Unlike OpenID which provides a federated, vendor-neutral user authentication framework, the OAuth-based approach created a service specific to Twitter (similar to Facebook Connect).

The release triggered a comprehensive security review of the OAuth Core 1.0 protocol since it was being used for a different set of use cases than originally intended. Two days later at Social Web FooCamp, a potential exploit has been identified which affected almost every OAuth implementation. It was the first real test of the community’s ability to address security issues since the specification has been completed.

The community released its first Security Advisory (2009.1) on April 23rd 2009, and followed with a revised version of the protocol, OAuth Core 1.0 Revision A on June 24th, 2009.

OAuth at the IETF

In May 2008, Mark Nottingham suggested bringing the OAuth work into the IETF. At a Bar BOF at the Vancouver IETF meeting in December 2007, many people expressed an interest in forming a new working group in the area of Web Authentication. Given the progress OAuth has made, it seems like a productive idea to use it to bootstrap such a working group.

In November 2008 with the support of Lisa Dusseault, the IETF Application Area Director, and with the help of Mark and Sam Hartman, the IETF held its first OAuth BOF at the 73rd IETF meeting in Minneapolis, MN. Larry Halff presented a study of the various OAuth use cases and the overall reception was very positive. Shortly after the second OAuth BOF held March 23rd, 2009 at the 74th IETF meeting in San Francisco, CA, the OAuth Working Group has been approved.

The OAuth working group was created to standardize the OAuth Core 1.0 protocol, while maintaining as much backward-compatibility as possible – an effort labeled ‘OAuth Core 1.1′. On November 23rd, 2009, Eran Hammer-Lahav proposed to drop work on a 1.1 revision and instead focus on a more significant 2.0 version.

OAuth Core 1.0 RFC Edition

While preparing the OAuth Core 1.0 specification for IETF submission, Eran Hammer-Lahav collected feedback from implementers regarding the readability and errors in the 1.0 specification. On March 9th, 2009, Eran published the OAuth Core 1.0 Editor’s Cut edition – a complete rewrite of the entire specification including many fixes and clarifications.

The Editor’s Cut edition was later incorporated into draft-hammer-oauth, the IETF Internet Draft used as the basis of the OAuth Working Group. In April 2010, the IETF published RFC 5849 as an informational RFC, replacing the OAuth Core 1.0 Revision A specification.

2 thoughts on “History

Comments are closed.