OAuth Spec 1.0 = More Personal Mashups?

John Musser, October 5th, 2007

A piece of the mashup puzzle that could lead to more interesting and useful applications has taken a step forward this week: the final draft of the OAuth specification is now available. What is it and why does it matter? Since there are already some very good explanations out there, here are the essentials drawn from Eran Hammer-Lahav and his OAuth series:

  • Shortest explanation possible: An API access delegation protocol
  • Your valet key for the web: Like the feature on many cars today where you give the parking attendant a special key to your car that gives him some, but not all, access to your vehicle. On the Web you now have your own keys to dozens of sites but how to best handle the mashup-style case of site A wants you to grant them access to get some data from site B? Ideally you don’t want to give site A your password to site B. OAuth aims to simplify this problem: “It allows you the User to grant access to your private resources on one site (which is called the Service Provider), to another site (called Consumer, not to be confused with you, the User).”
  • Versus OpenID: OAuth and OpenID are related but are not solving the same problem and do not depend upon one another. “While OpenID is all about using a single identity to sign into many sites, OAuth is about giving access to your stuff without sharing your identity at all (or its secret parts). If OAuth depended on OpenID, only OpenID services would be able to use it, and while OpenID is great, there are many applications where it is not suitable or desired. Which doesn’t mean to say you cannot use the two together. OAuth talks about getting users to grant access while OpenID talks about making sure the users are really who they say they are.”
  • History: Started with informal discussions in November 2006 about OpenID and delegated authentication; April 2007 Google group started, this summer initial spec drafted, and now at 1.0 final draft.
  • Who’s going to be implementing it?: “At the time of writing this, we expect initial implementations from (in alphabetical order) Digg, Jaiku, Flickr, Ma.gnolia, Plaxo, Pownce, Twitter, and hopefully Google, Yahoo, and others soon to follow.”
  • Inputs: Given that this is not a new problem, the creators of this spec drew from a variety of related efforts including existing protocols like Yahoo BBAuth, Google Web Auth, Flickr API and others.
  • OAuth links: the OAuth spec and lots of related links.

This very promising specification moved along quickly thanks to hard work and cooperation from those involved. This sort of standards effort and events like Data Sharing Summit are helping move the mashup ecosystem forward.

For more coverage see Marshall Kirkpatrick at Read/WriteWeb, Brady Forrest at O’Reilly Radar, Microsoft’s Dare Obasanjo, and Chris Messina.

Both comments and pings are currently closed.

9 Responses to “OAuth Spec 1.0 = More Personal Mashups?”

October 5th, 2007
at 2:57 am
Comment by: Joel Voss

I’m always weary of signing up for yet another service. It’ll be nice to be able to get access to some services using a more decentralized ID system. I hope this system isn’t used to transfer information seamlessly between sites though. It is a disturbing trend that each site wants to know about what you do on another site. Ease of use is a horrible reason to leak data improperly to sites that have not asked permission properly.

October 21st, 2007
at 6:22 am
Comment by: Open Ideas Sharing » Blog Archive » Personal mashup/dashbord/webpage/portal/blah blah blah…

[...] [2] OAuth Spec 1.0 = More Personal Mashups? [...]

April 28th, 2008
at 1:30 am
Comment by: OAuth Coming to All Google Data APIs

[...] which we covered last fall, is an API access delegation protocol that has been described as your valet key for the web: Like [...]

April 28th, 2008
at 3:54 pm
Comment by: [davidchiu ~]$ - Google to use OAuth for all Google API’s

[...] another technology I need to start looking into: OAuth. ProgrammableWeb describes it as: Like the feature on many cars today where you give the parking attendant a special [...]

June 27th, 2008
at 1:07 am
Comment by: OAuth Support at SmugMug

[...] OAuth Spec 1.0 = More Personal Mashups? [...]

May 3rd, 2010
at 1:28 pm
Comment by: OAuth is the New Hotness: 76 OAuth-enabled APIs

[...] hardly a new technology. We wrote about the spec for the first version in 2007, noting the potential for more personal mashups. It has been adopted by many services including the Twitter API and multiple APIs from both Google [...]

December 15th, 2011
at 12:30 pm
Comment by: Immobilienfinanzierung Rechner

Hey! I know this is somewhat off topic but I was wondering which blog platform are you using for this website? I’m getting tired of Wordpress because I’ve had problems with hackers and I’m looking at alternatives for another platform. I would be awesome if you could point me in the direction of a good platform. Hauskreditrechner

December 15th, 2011
at 1:17 pm
Comment by: Kaffeevollautomaten Test

Hey! This post could not be written any better! Reading this post reminds me of my old room mate! He always kept talking about this. I will forward this write-up to him. Fairly certain he will have a good read. Thanks for sharing! Kaffeevollautomaten Test

December 18th, 2012
at 12:53 pm
Comment by: viagra online kaufen billig

Hey, das Thema weckt mein Interesse, gibt es schon ein wenig neuere “Fakten”?
Habe auf deiner Site leider ziemlich wenig entdeckt.

Follow the PW team on Twitter

APIs, mashups and code. Because the world's your programmable oyster.

John Musser
Founder, ProgrammableWeb

Adam DuVander
Executive Editor, ProgrammableWeb. Author, Map Scripting 101. Lover, APIs.