OAuth 1.0 Released: Logging In Gets Safer and Easier
The social web welcomed a new open standard into its midst Wednesday with the release of OAuth, a user authentication protocol created by a disparate group of web programmers.
OAuth involves concepts which are difficult to down-geek, so I’ll quote AOL’s John Panzer, one of the project’s participants, who offers this explanation:
OAuth is like a valet key for all your web services. A valet key lets you give a valet the ability to park your car, but not the ability to get into the trunk or drive more than 2 miles or redline the RPMs on your high end German automobile. In the same way, an OAuth key lets you give a web agent the ability to check your web mail but NOT the ability to pretend to be you and send mail to everybody in your address book.
Basically, it allows you to access one web service’s API from another site or from a desktop client without actually entering a full set of credentials — in most cases, a user name and password. Mashups are more secure, as you won’t need to fully authenticate at a third-party site and those sites will have more limited access to your data. Desktop clients can access web services in a strict setting (think of Pownce’s desktop client built for AIR, or the Twitteriffic client for the Mac desktop) without forcing you to plug your login data into text fields. OAuth is fully compatible with OpenID, but it’s also been specifically designed to accept any proprietary or authentication scheme, so it’s super-flexible.
As with any new spec, adoption is key (pun intended). Check out Chris Messina’s blog post — he lists a collection of websites currently committed to supporting the nascent spec. Also, he gives tips for programmers to help them get started implementing it. And he designed the “token” logo seen above. Busy guy!
You can read the full text of the spec at the OAuth website. Here’s another plain-language primer. Marshall at Read/Write Web also has an excellent write-up with some insight from the individuals involved in the process.
The key members of the OAuth group reads like a who’s who of hip web services: Larry Halff and Todd Sieling from Ma.gnolia, Leah Culver from Pownce, Kellan Elliott-McCrea from Flickr, Messina of Citizen Agency, MySQL guru Mark Atwood, plus contributors from Google, Six Apart, Jaiku, Yedda and Twitter, among others.
