The distributed group of developers working on the Open Authentication spec OAuth have released what they hope will be the final draft of their 1.0 version. The OAuth spec will create a standardized way for applications to request permission for access to user info from other applications and for info-holding services to communicate clear rules and options for accessing parts of the data they hold.
The spec got a burst of publicity earlier this week when the widely used feed reader Bloglines announced that they intend to support it in addition to OpenID and the Attention Data standard APML.
In this post I offer a high-level overview of what OAuth does, in as much as I understand it, followed by some thoughts on the concepts from some helpful industry experts.
Standards are the railroad tracks to a potential explosion of innovation and OAuth aims to make mashups far easier to develop than ever before. The group of developers took what they believed to be the best qualities from a long list of other authentication protocols and created an open standard they believe will make mashups safer to use and simpler to develop.
Here's one example of what OAuth might look like. There are lots of services like Twitbin or Twitteriffic that let you use your Twitter account in a much more powerful way outside of the Twitter web page. Those applications ask for your Twitter username and login, though; OAuth will let these apps interact without users exposing their full login info.
In that, OAuth is like OpenID, but this protocol will let services that hold your data offer a set of rules and options for allowing other applications to access selected parts of it. You could login to Twitter through Twitterific but only give Twitterific access to read and write messages - not to change your user profile page, your password or do anything else that they could in theory do today with full access to your account.
Making open standards real doesn't sound like a lot of fun, but the OAuth group seems to have a good start. The spec is being worked on by people from Google, Amazon, Yahoo/Flickr, Six Apart and all the three leading microblogging services. Implementation is expected soon by Netflix, Threadless, Bloglines, Twitter, Jaiku, Pownce, Ma.gnolia and others.
Agreeing on the final draft of the 1.0 spec is likely the last thing companies are waiting on and that's something that's happening a lot faster with OAuth than with OpenID 2.0, for example. Scott Kveton, Chairman of the Board of the OpenID Foundation, told me he thinks OAuth is another exciting move towards data portability and user control. He said that the small group involved in the spec is a real benefit when it comes to speed of development but that they will still have to struggle with IP like copyright before implementation really takes off with large players.
Oren Michels, of the recently funded API management service Mashery, says that OAuth could save his team a lot of valuable time currently spent working with the particulars of each non-standard API. He also told me, though, that many of his customers already have their own APIs built and would not likely go back and make them standards compliant. Ultimately, he said, good APIs are more important than standards compliant ones. In the future, companies that learn about OAuth early in the development of their APIs could implement it if there's sufficient market adoption.
Finally, I talked to John Musser of API super-site Programmable Web. Musser said that he's long argued that security is the number one barrier to further mashup proliferation and OAuth appears to address that well. "Higher value, 'personal mashups' require access to more interesting data than you can get without some secured access," he said, "but of course it's also an area lacking in standards, certainly from the perspective of the current generation of web 2.0 APIs." Musser also agreed with Michels that good APIs are more important than standards; he said that mashups are perfectly buildable today with the current circumstances but that a standard like OAuth could make a big difference by easing the complexity for developers.
Only time will tell whether OAuth has legs - but given the parties participating and the potential power of the standard, it may not take too much time to get a good look into the future.
TrackBack URL for this entry: http://www.readwriteweb.com/cgi-bin/mt/mt-tb.cgi/1674
Comments
Subscribe to comments for this post OR Subscribe to comments for all Read/WriteWeb posts
Marshall, can you clarify what this means?
"...they will still have to struggle with IP like copyright before implementation really takes off with large players."
Posted by: Jim Hathaway | October 4, 2007 12:09 PM
Awesome ! ... I propose the new title "Read-Write-Wall" or "Programmable Wall"
As a result of some new prototypes:
http://www.youtube.com/watch?v=etBpUcNGVlU
http://www.youtube.com/watch?v=MKxxzu00zx8
LOL.. the kids loved it !
Posted by: Rich White | October 4, 2007 12:13 PM
Jim, my understanding of this, and perhaps others will chime in, is that when developing standards like this there's documentation, certification is a possibility, logos, and a bunch of other assets that could potentially become proprietary to one vendor, or be maintained as community assets - those kinds of questions have to be answered.
Posted by: Marshall Kirkpatrick | October 4, 2007 12:14 PM
"OAuth." Good grief. That's the worst neologism in a decade of horrible neologisms. How are you even supposed to pronounce that? An acronym that you need to puzzle out is not a great mnemonic. Oath? Ow-th? Owe-oth? Eesh. I'll call it . . . Nanette Fabray!
Posted by: Curt | October 4, 2007 12:24 PM
Marshall, this is good news for players like us (Grazr) that aim to be as inter operable as possible. Now that Grazr 2.0 is launched one of the things we've got on our list to start exploring is open user and API authentication.
We were going to start looking at OpenID, but oAuth also sounds interesting. When we were building out our mashup-like tools, authentication of API's was one of the trickiest parts, requiring a grazr maintained local store of API keys / passwords. It almost became a big enough project to be it's own company (ala Mashery) so we backed off of authenticated API aggregation (for now).
Posted by: Michael Kowalchik | October 4, 2007 12:31 PM
@Michael K. - OAuth is not really an alternative to OpenID, rather they are very complimentary protocols.
OpenID is more for verifying a user, OAuth is for verifying what that user has access to. Ideally a site would support OpenID for sign-in and then OAuth for transporting bits.
Posted by: Kevin Fox | October 4, 2007 12:43 PM
Fire in the hole? ;) OAuth should make new APIs that much easier.
I assume that like OpenID there'll likely be something like an IPR Policy published for the IP issues.
Posted by: P√°draic Brady | October 4, 2007 12:48 PM
@Curt: I hear ya, but a couple points. The project was originally called OpenAuth, but before we released anything, AOL came out with OpenAuth, so we had to rename. We decided to truncate it to OAuth since the domains were still available!
As for pronunciation, it was originally "oath" but over time it's reverted to "Oh Auth" to make it clear that this is an authentication protocol. It's really only for geeks anyway, since regular folks will only experience implementations in the wild, rather than, for example, getting an "OAuth" (as in OpenID").
I should also point out that OAuth is compatible with OpenID -- in fact, down right complementary. We designed it to work with any form of identification and purposely didn't specify how Service Providers should deal with that.
Posted by: Chris Messina | October 4, 2007 12:50 PM
While it's not the greatest name, keep in mind that it is a developer protocol, unlike OpenID which has marketing needs to get end-users. OAuth should be invisible to most end-users.
Posted by: Eran Hammer-Lahav | October 4, 2007 12:59 PM
Curt, the word "OAuth" wasn't our first choice, but AOL had just grabbed the word "OpenAuth" just shortly before we started work, so we had to come up with another one.
Posted by: Mark Atwood | October 4, 2007 1:08 PM
This is a topic that I've been having strong feelings about for some time.
Finally, there's some real movement and with any luck, sustained traction.
However, no matter how good the idea is, adoption is vital. And because of the way the web is balanced these days, change could come from the bottom up — specifically via the microformats — removing indecision as an option in the minds of the bigger players and forcing their hands...
Posted by: Wayne Smallman | October 4, 2007 1:18 PM
We plan on implementing OAuth with Engagd.com ASAP to help with easy mash ups using APML/Attention Data
Posted by: Chris Saad | October 4, 2007 4:19 PM