OAuth

OAuth is a web-friendly, lightweight standard for authorization that allows a user to share private resources between internet services, e.g., allowing your favorite social networking site to access your photos from your favorite photo sharing site. OAuth is simple, avoids password proliferation, and allows a service to grant bare minimum privileges. If you are exposing your application’s data in a lightweight, web-friendly manner you should strongly consider using OAuth as your standard for authorization.

OAuth is a Web-based authorization protocol that allows applications to access a user’s secured resources in another application without the user having to share their private security credentials. Now an RFC, OAuth represents a significant standards-based attempt to improve privacy and security for Web browser and machine-based access to distributed Web resources. Library support is patchy and adopters can expect to spend some time wrangling their code to achieve true interoperability. OAuth 2.0 is due towards the end of 2010, with specific flows for Web applications, desktop applications, mobile phones, and household devices. Because OAuth 2.0 is not backwardly compatible with version 1 and the implementation challenges around the current version, OAuth is still in the assess ring.

The Web is a global data structure that enables us to share information. However not all data is meant to be shared by everyone and it’s important to be able to share information on the Web in a disciplined and governable manner without requiring massive centralized infrastructure. OAuth provides a way of sharing resources on the Web responsibly and securely. It is a Web protocol (for Web browsers or machine-to-machine interactions), which allows federated authorization of access to Web resources. What’s interesting is that OAuth is a simple protocol to implement and utilize and yet its design goals match many common enterprise authorization problems. OAuth remains in the assessment category, however, because it has fragmented, and the IETF has not yet drawn the community back together under an Internet RFC.