OAuth Wins CNET’s Webware 100 Editors’ Choice Award

Webware 2009 Award(A little late but) OAuth has won CNET’s 2009 Webware 100 award in the Editors’ Choice Most Important Technology category:

OAuth is a developing standard that lets Web services interact with each other on behalf of users, without requiring users to give up their passwords.

Why do we need it? Best reason that makes it clear to almost everyone: Twitter apps. Currently, when you’re using a third-party Twitter application, like Tweetdeck for example, you have to give the app your Twitter credentials–user name and password. That’s a key to your entire Twitter account. An app like Tweetdeck could, if hacked or written maliciously, log in to your Twitter account and mess up your account, locking you out or worse. OAuth allows permissions to be set between services, so you could tell Twitter that an app like Tweetdeck could send messages on your behalf, but do nothing else.

OAuth is conceptually related with OpenID (another Webware 100 winner), which allows users to use one log-in to access several services. But it’s quite a different thing. It enables a user’s legion of Web services to work with each other on his or her behalf, even when they are not logged in.

Explaining the OAuth Session Fixation Attack

Broken-TokenThere is a pretty good story behind this. That is, how we found and managed the OAuth protocol security threat identified last week. In many ways, the story is much more important and interesting than the actual technical details of the exploit.

For everyone involved, this was a first-of-a-kind experience: managing a specification security hole (as opposed to a software bug) in an open specification, with an open community, and no clear governance model. Where do you even begin?

But right now, I know you want the technical details.

Continue reading

Introducing ‘Sign-in with Twitter’, OAuth-Style “Connect”

Yesterday Twitter released ‘Sign-in with Twitter’, the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta, is that it is completely standard OAuth. No extensions, not secret sauce, and not another proprietary provider (yes, I’m looking at you Facebook).

Sign in with Twitter

It is Open done right.

With this small enhancement of the Twitter OAuth API, Twitter created a product that directly competes with Facebook Connect. The implementation details are significantly different (and there are some technical shortcoming on both sides), but there is little you can do with one and not the other. There is no reason why ‘Sign-in with Twitter‘ cannot be used anywhere Facebook Connect is offered, including blog posts and activity streaming.

Continue reading

Quick Weekly Recap

This was a light blogging week with mostly short posts. They included an invitation to attend the upcoming Internet Identity Workshop, clarifications to help those implementing OAuth on the server side, announcement about OAuth being nominated for a Webware 100 award, call for action in the Open Web Foundation, and some advice on versioning specifications.

I will be in traveling to New York, New Jersey, and Virginia over the next 10 days. Hope to see a lot of my New York friends while I'm there.

Clarifying OAuth Requirements for Service Providers

Its never good when specifications are read like the bible, where people find in it what they want.

Over the past few months I have been getting many questions about requirements in the OAuth Core 1.0 specification, as well as finding significant issues with existing implementations. I agree that the specification isn't clear on many of these issues, but until we have a replacement, I hope this list would help.

Continue reading