OAuth
Encyclopedia
OAuth is an open standard
Open standard
An open standard is a standard that is publicly available and has various rights to use associated with it, and may also have various properties of how it was designed . There is no single definition and interpretations vary with usage....

 for authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...

. It allows users to share their private resources (e.g., photos, videos, contact lists) stored on one site with another site without having to hand out their credentials, typically username and password.

OAuth allows users to hand out tokens instead of credentials to their data hosted by a given service provider. Each token grants access to a specific site (e.g., a video editing site) for specific resources (e.g., just videos from a specific album) and for a defined duration (e.g., the next 2 hours). This allows a user to grant a third party site access to their information stored with another service provider, without sharing their access permissions or the full extent of their data.

OAuth is a service that is complementary to, but distinct from, OpenID
OpenID
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...

.

History

OAuth began in November 2006, during which Blaine Cook
Blaine Cook (programmer)
Blaine Cook is a Canadian software engineer, now living and working in London, UK. He is the principal co-author of the OAuth and Webfinger specifications. He is the former lead developer of social networking site Twitter. He has also worked for Yahoo on the Fire Eagle project and for BT Group as...

 was developing the Twitter
Twitter
Twitter is an online social networking and microblogging service that enables its users to send and read text-based posts of up to 140 characters, informally known as "tweets".Twitter was created in March 2006 by Jack Dorsey and launched that July...

 OpenID
OpenID
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...

 implementation. Meanwhile, Ma.gnolia
Ma.gnolia
Gnolia, named Ma.gnolia until 2009, was a social bookmarking web site with an emphasis on design, social features, and open standards. It is now perhaps most notable for losing members' bookmarks in a widely-reported data loss incident in January 2009...

 needed a solution to allow its members with OpenIDs to authorize Dashboard Widgets to access their service. Cook, Chris Messina and Larry Halff from Ma.gnolia met with David Recordon to discuss using OpenID with the Twitter and Ma.gnolia APIs to delegate authentication. They concluded that there were no open standard
Open standard
An open standard is a standard that is publicly available and has various rights to use associated with it, and may also have various properties of how it was designed . There is no single definition and interpretations vary with usage....

s for API access delegation.

The OAuth discussion group
Discussion group
A discussion group is an online forum for individuals to discuss various topics amongst each other. People add their comments by posting a block of text to the group. Others can then comment and respond. In the early days of the Internet, USENET was the most popular type of discussion group, but...

 was created in April 2007, for the small group of implementers to write the draft proposal for an open protocol. DeWitt Clinton from Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...

 learned of the OAuth project, and expressed his interest in supporting the effort. In July 2007 the team drafted an initial specification. Eran Hammer-Lahav joined and coordinated the many OAuth contributions, creating a more formal specification. On October 3, 2007, the OAuth Core 1.0 final draft was released.

At the 73rd Internet Engineering Task Force
Internet Engineering Task Force
The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the W3C and ISO/IEC standards bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite...

 meeting in Minneapolis in November of 2008, an OAuth BOF
Birds of a Feather (computing)
In computing, BoF can refer to:* An informal discussion group. Unlike special interest groups or working groups, BoFs are informal and often formed in an ad-hoc manner...

 was held to discuss bringing the protocol into the IETF for further standardization work. The event was well attended and there was wide support for formally chartering an OAuth working group within the IETF.

The OAuth 1.0 Protocol was published as RFC 5849, an informational Request for Comments
Request for Comments
In computer network engineering, a Request for Comments is a memorandum published by the Internet Engineering Task Force describing methods, behaviors, research, or innovations applicable to the working of the Internet and Internet-connected systems.Through the Internet Society, engineers and...

, in April 2010.

Since August 31, 2010, all third party Twitter applications have been required to use OAuth.

OAuth 2.0

OAuth 2.0 is the next evolution of the OAuth protocol and is not backward compatible with OAuth 1.0. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices. The specification is being developed within the IETF OAuth WG and is expected to be finalized by the end of 2010 according to Eran Hammer-Lahav.

Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...

's new Graph API only supports OAuth 2.0 and is the largest implementation of the emerging standard. As of 2011, both Google
Google
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...

 and Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

 had added OAuth 2.0 experimental support to their APIs.

Security

On April 23, 2009, a session fixation
Session fixation
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate another person's session identifier...

 security flaw in the 1.0 protocol was announced. It affects the OAuth authorization flow (also known as "3-legged OAuth") in OAuth Core 1.0 Section 6.
Version 1.0a of the OAuth Core protocol was issued to address this issue.

There is a debate over security concerns of OAuth.

Uses

OAuth can be potentially used as an authorizing mechanism to consume secured (i.e., authenticated) RSS/ATOM feeds. Consumption of RSS/ATOM feeds that requires authentication has always been an issue. For example; an RSS feed from a secured Google Sites
Google Sites
Google Sites is a structured wiki- and web page-creation tool offered by Google as part of the Google Apps Productivity suite.- History :Google Sites started out as JotSpot, the name and sole product of a software company that offered enterprise social software. It was targeted mainly at...

 can not be consumed using Google Reader
Google Reader
Google Reader is a Web-based aggregator, capable of reading Atom and RSS feeds online or offline. It was released by Google on October 7, 2005 through Google Labs. Reader was graduated from beta status on September 17, 2007.-Interface:...

. 3-Legged OAuth can be used to authorize Google Reader to the RSS feed from that Google Site.

OpenID vs. pseudo-authentication using OAuth

The following drawing highlights the differences between using OpenID vs. OAuth for authentication. Note that with OpenID, the process starts by the application asking the user for their identity (typically a openid URI), whereas in the case of OAuth, the application directly requests a limited access OAuth Token (valet key) to access the APIs (enter the house) on user's behalf. If the user can grant that access, the application can retrieve the unique identifier for establishing the profile (identity) using the APIs.

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK