InfoQ

News

OAuth Gaining Momentum

Posted by Charles Humble on Jun 10, 2008 04:00 PM

Community
Java,
SOA
Topics
Security
In a recent blog post Jeff Altwood of Coding Horror fame described an increasingly common, but highly undesirable, practice amongst web site developers; that of asking for your email user name and password so that the service can look through your email contacts to see if any of your contacts also use the service. Jeff illustrates this using Yelp, but he could just as well have used LinkedIn (see below) or any number of other web sites.
LinkedIn - Build your network

 

In typically forthright style, Jeff goes on to highlight why this is such a problem. In short “they have effectively asked for the keys to my house in order to riffle through my address book.”

A number of companies and individuals are working on solutions to this problem including Google, Yahoo and Microsoft, as well as the OAuth project. Initiated by Blaine Cook, Chris Messina, Larry Halff and David Recordon, OAuth aims to provide an open standard for API access delegation. The OAuth discussion group was founded in April 2007 to provide a mechanism for this small group of implementers to write the draft proposal for the protocol. During development significant contributions were received from Eran Hammer-Lahav and Google's DeWitt Clinton. The version 1.0 specification was formally released on December 4th 2007.

At a high level OAuth works as follows:

  1. Your site has established a relationship with various webmail service providers.
  2. You share a pass-phrase, or a public key, that you can use to gain access to the web contacts.
  3. You re-direct the user to the login page for their webmail service provider.
  4. The user signs in and tells the webmail service provider that is OK for your site to access their address book.

OAuth is already gaining considerable momentum, with implementations for many popular languages including Java, C#, Objective-C, Perl, PHP and Ruby. The majority of these implementations are hosted by the OAuth project via a Google Code repository. Ryan Heaton has implemented OAuth for Spring security which can be found here. Sites supporting OAuth include Twitter, Ma.gnolia and Google (Alpha launch post here).

No comments

Reply

Exclusive Content

SOA Governance: An Enterprise View

Michael Poulin explains the necessity for SOA governance to ensure an Enterprise SOA's success, relying on concepts from the OASIS SOA Reference Model and Reference Architecture.

Developing Portlets using JSF, Ajax, and Seam (Part 2 of 3)

This article covers setting up a RichFaces portlet using JBoss Portlet Container and JBoss Portlet Bridge, deploying a RichFaces portlet, and RichFaces capabilities.

Scalability Worst Practices

This article discusses scalability worst pratices including The Golden Hammer, Resource Abuse, Big Ball of Mud, Dependency Management, Timeouts, Hero Pattern, Not Automating, and Monitoring.

Do the Hustle

Obie Fernandez shares his experience selling consulting services for both Thoughtworks and Hashrocket and give tips how Ruby developers can work with clients.

Natural Laws of Software Development - Deriving Agile Practices

Jeffries and Hendrickson derive Agile practices from the natural laws of software development. They don't just say "Be Agile!", but they explain why Agile practices make perfect sense.

Jinesh Varia About Amazon Alexa Web Service's Architecture

Jinesh Varia talks about the architecture of one of Amazon's web services called Alexa. Jinesh explains how Amazon has reached scalability, performance and reduced costs for the Alexa service.

"We Suck Less!" Is Not Enough

David Douglas and Robin Dymond discuss about companies adopting Agile, but don't go all the way, resulting in failure and rejection of it, and predictably having a negative impact on Agile's future.

The Development of a New Car at Toyota

Kenji Hiranabe talks about Toyota's development process of a new car. Kenji shares his experience meeting Nobuaki Katayama, former Chief Engineer at Toyota, and the lessons he learned from him.