(A little late but) OAuth has won CNET’s 2009 Webware 100 award in the Editors’ Choice Most Important Technology category:
OAuth is a developing standard that lets Web services interact with each other on behalf of users, without requiring users to give up their passwords.
Why do we need it? Best reason that makes it clear to almost everyone: Twitter apps. Currently, when you’re using a third-party Twitter application, like Tweetdeck for example, you have to give the app your Twitter credentials–user name and password. That’s a key to your entire Twitter account. An app like Tweetdeck could, if hacked or written maliciously, log in to your Twitter account and mess up your account, locking you out or worse. OAuth allows permissions to be set between services, so you could tell Twitter that an app like Tweetdeck could send messages on your behalf, but do nothing else.
OAuth is conceptually related with OpenID (another Webware 100 winner), which allows users to use one log-in to access several services. But it’s quite a different thing. It enables a user’s legion of Web services to work with each other on his or her behalf, even when they are not logged in.
There is a pretty good story behind this. That is, how we found and managed the OAuth protocol security threat identified last week. In many ways, the story is much more important and interesting than the actual technical details of the exploit.
For everyone involved, this was a first-of-a-kind experience: managing a specification security hole (as opposed to a software bug) in an open specification, with an open community, and no clear governance model. Where do you even begin?
But right now, I know you want the technical details.
Yesterday Twitter released ‘Sign-in with Twitter’, the ability to use Twitter as a delegated sign-in provider for third-party websites. The cool thing about this new feature, which is part of their OAuth API beta, is that it is completely standard OAuth. No extensions, not secret sauce, and not another proprietary provider (yes, I’m looking at you Facebook).
It is Open done right.
With this small enhancement of the Twitter OAuth API, Twitter created a product that directly competes with Facebook Connect. The implementation details are significantly different (and there are some technical shortcoming on both sides), but there is little you can do with one and not the other. There is no reason why ‘Sign-in with Twitter‘ cannot be used anywhere Facebook Connect is offered, including blog posts and activity streaming.
This was a light blogging week with mostly short posts. They included an invitation to attend the upcoming Internet Identity Workshop, clarifications to help those implementing OAuth on the server side, announcement about OAuth being nominated for a Webware 100 award, call for action in the Open Web Foundation, and some advice on versioning specifications.
I will be in traveling to New York, New Jersey, and Virginia over the next 10 days. Hope to see a lot of my New York friends while I'm there.
With a growing number of new specifications being published by first-time authors, I think it is important to pay attention to when should a specification carry a version number. For most people, giving a specification a version is a sign of forward thinking and planning for future revisions. But not every specification should have a version number.
OAuth was selected as a finalist in the Infrastructure & Storage category in the 2009 Webware 100 Awards. I consider this nomination as a recognition of the incredible accomplishments of the OAuth community and the record-breaking adoption of the OAuth Core 1.0 protocol. Voting is open until April 30th, so go vote…
Its never good when specifications are read like the bible, where people find in it what they want.
Over the past few months I have been getting many questions about requirements in the OAuth Core 1.0 specification, as well as finding significant issues with existing implementations. I agree that the specification isn't clear on many of these issues, but until we have a replacement, I hope this list would help.